Topics in Normal Bases of Finite Fields N. A. Carella

Topics in Normal Bases of Finite Fields

N. A. Carella

Table of Contents

Chapter 1 Bases of Finite Fields 1.1 Introduction……………………………………………………………………………….2 1.2 Definitions and Elementary Concepts………………………………………………….....3 1.3 The Discriminants of Bases……………………………………………………………….7 1.4 Distribution of Bases…………………………………………………………………….10 1.5 Dual Bases……………………………………………………………………………….11 1.6 Distribution of Dual Bases…………….………………………………………………...16 1.7 Polynomials Bases……………………………………………………………………….17

Chapter 2 Structured Matrices 2.1 Basic Concepts…………………………………………………………………………..22 2.2 Circulant Matrices……….………………………………………………………………24 2.3 Triangular Matrices……………………………………………………………………...31 2.4 Hadamard Matrices……………………………………………………………………33 2.5 Multiplication Tables…………………………………………………………………….35

Chapter 3 Normal Bases 3.1 Basic Concepts………………………………………….……………………………….40 3.2 Existence of Normal Bases………………………………..……………………………..41 3.3 Iterative Construction of Normal Bases………………….……………………………...42 3.4 Additive Order and Decomposition Theorem…………….……………………………..44 3.5 Normal Tests……………………………………………….……………………………46 3.6 Polynomial Representations………………………………….………………………….48 3.7 Dual Normal Bases……………………………………………..………………………..51 3.8. Distribution Of Normal Bases…………………………………..………………………53 3.9 Distribution Of Self-Dual Normal Bases…………………………………………...…54 3.10. Formulae For Normal Elements/Polynomials………………….…………………..…57 3.11 Completely Normal Bases and Testing Methods……………………………………59 3.12 Infinite Sequences of Normal Elements/Polynomials………………………………...62 3.13 Characteristic Functions……………………………………………..…………….…64 3.14 Primitive Normal Bases……………………………………………..…………….…67 3.15 Applications Of Fractional Linear Transformations To Normal Bases…………….…68

Chapter 4 General Periods 4.1 Concept of Periods………………………………………………………………………72 4.2 Cyclotomic Periods…………………………………………………………………...…74 4.3 Cyclotomic Numbers…………………………………………………………………….76 4.4 Linear and Algebraic Properties of the Integers (i, j)……………………………………79

4.5 Characterization of the Periods………………………………………..………………80 4.6 Cyclotomic Numbers of Short Type……………………………………………………..81 4.7 Extension to the Ring Zr……………………………………..………..………………86 4.8 Extension of the Finite Field Fp………………………………………..……………...86 4.9 Exponential Sum Properties………………………………………….……………….87

Chapter 5 Periods Polynomials 5.1 Definition of Period Polynomials………………………………………………………92 5.2 Discriminant and Factorization of Period Polynomials…………………………………94 5.3 Period Polynomials of Low Degrees…………………………………………………..95 5.4 Period Polynomials of High Degrees…………………………………………………..101 5.5 Coefficients Calculations Via Power Sums Method…………………………………107 5.6 Sequences of Period Polynomials……………………………………………………110

Chapter 6 Periods Normal Bases 6.1 Definitions and Existence …….……………………………………………………114 6.2 Existence of Period Normal Bases……………………… …………………………115 6.3 Polynomial Representations of Periods…………………………….………………120 6.4 Dual Period Normal Bases………………………………………………….………122

Chapter 7 Period Normal Bases For Extensions Of Low Degrees 7.1 Quadratic Extensions……………………………………………………………….128 7.2 Dual Period Normal Bases of Quadratic Extensions ………...…………………….129 7.3 Multiplications in Quadratic Extensions……………………………………………131 7.4 Criteria For Cubic Nonresidues…………………………………………………….135 7.5 Period Normal Bases of Cubic Extensions…………………………………………136 7.6 Dual Period Normal Bases of Cubic Extensions……………………...……………138 7.7 Multiplications in Cubic Extensions………………………………………………..138

Chapter 8 Asymptotic Proofs 8.1 Primitive Polynomial with Prescribe Coefficients…………………………………..143 8.2 Primitive Normal Polynomial with Prescribe Coefficients ………………….……..153

References…………………………………………………………………………….165

Chapter 1

Bases of Finite Fields

1.1 Introduction

This chapter introduces various fundamental ideas and terminologies essential for the understanding of vector representations of finite fields. The study of bases of vector space representations of finite fields and the corresponding computational algorithms is an extensive and important subject.

There are various methods of representing finite fields. The most common are vector spaces, cyclic representations, polynomial quotient rings, quotients of number fields, matrix representations, and binary representations respectively. These are listed here in order.

≅ ⋅⋅⋅ ∈ (1) Fqn { x = x0α0 + x1α1 + + xn−1αn−1 : xi Fq }, where {α0, α1, ..., αn−1} is a basis.

≅ ∪ (2) Fqn < ξ > {0}, where ξ is a generator of the multiplicative group of Fqn .

≅ (3) Fqn Fq[x]/(f(x)), where f(x) is an irreducible polynomial of degree n.

≅ (4) Fqn OK/(ℐ), where ℐ is a maximal ideal and OK is the ring of integers in a numbers field K.

These representations are widely used in algebraic number theory.

≅ (5) Fqn { Subset of Nonsingular Matrices }.

≅ − φ → n (6) Fqn { l adic Vectors }, the vectors are defined by a function : Fqn Fl . Two instances are the 2−adic representation (binary):

qn −1 (qn −1) / 2 qn −1 (qn −1) / 2 φ(x) = [(x + x +α n−1 ) / 2, ..., (x + x +α 0 ) / 2] ,

and the 3−adic representation:

(qn −1) / 2 (qn −1) / 2 (qn −1) / 2 φ(x) = [(x +α n−1 ) , ..., (x +α1 ) , (x +α 0 ) ]

α α α ∈ n where 0, 1, …, n−1 Fq are fixed.

The fastest methods for addition and subtraction are implemented with vector space representations. And the fastest method for multiplications, divisions, discrete exponentiations, and certain root extractions are implemented with cyclic representations. In the other hand, the fastest algorithms for computing discrete logarithms in finite fields are implemented in polynomial quotient rings and quotient of number fields, see [1, Adleman and DeMarrais], [1, ElGammal] etc. Matrix representations have applications in the construction of hash functions,

pseudo numbers generators, and others, see [3, Gieselmann]. Normal bases, (which are vector space representations), and Binary representations are useful in polynomial factorizations, see [1, Nieterreiter], [1, Camion], and [1, Ganz]. Since additions and subtractions are highly efficient operations with respect to most bases, the main focus is on multiplication and multiplicative

inverse algorithms with respect to the various bases of the finite fields Fqn over Fq.

1.2 Definitions and Elementary Concepts

Several methods for identifying the bases of the vector space Fqn over Fq will be considered in this section. The notion of basis of a vector space has already appeared in this text. The concept of basis and the related idea of linear independence, (also algebraic independence), are recurrent themes throughout mathematics.

⊂ Definition 1.1. A subset of elements {α0, α1, ..., αn−1} Fqn is said to be a basis of the vector ∈ space Fqn over Fq if and only if every element α Fqn can be uniquely written as a linear combination

α = a0α0 + a1α1 + ⋅⋅⋅ + an−1αn−1,

where ai ∈ Fq.

A redundant basis is a basis such that every element has a representation as linear combination but not necessarily unique. Some algorithms based on redundant bases are more efficient than

those based on nonredundant bases. A redundant normal basis {α0, α1, ..., αn−1, 1} of Fqn over Fq is employed in [2, Gao, et al] to improve the exponentiation algorithm. A redundant normal basis permits multiple representations of the elements, e.g., 0 = α0 + α1, + ⋅⋅⋅ + α−n1 + 1 among others if q > 2. Redundant bases are also used to represent integers in fast exponentiation algorithms, and real/complex numbers in numerical algorithms which implement carry free arithmetic operations.

Definition 1.2. Let {α0, α1, ..., αn−1} be a subset of Fqn . The regular matrix representation of i qi the set {α0, α1, ..., αn−1} is defined by the n×n matrix A = ( σ (α j) ) = ( α j ) . The matrix

 α0 α1 α2 . . . αn−1    q q q q  α0 α1 α2 . . . αn−1    A =  q2 q2 q2 . . . q2   α0 α1 α2 αn−1   ......     qn−1 qn−1 qn−1 . . . qn−1   α0 α1 α2 αn−1 

occurs very frequently in the analysis of bases and matrix representations of linear functionals in finite fields.

Definition 1.3. A pair of bases {α0, α1, ..., αn−1} and {β0, β1, ..., βn−1} are equivalent if each βi = cαi for some constant c ∈ Fq.

The equivalence class of each basis {α0, α1, ..., αn−1} can be viewed as a point in (n−1)- n−1 dimensional projective space P (Fqn ).

Lemma 1.4. A subset {α0, α1, ..., αn−1} of elements of Fqn is a basis of the vector space Fqn over

Fq if and only if the n×n regular matrix representation A associated to {α0, α1, ..., αn−1} is nonsingular.

∈ Proof: Suppose that {α0, α1, ..., αn−1} is a basis, and let β Fqn . Now consider the system of equations

n−1 n−1 n−1 q q qn−1 qn−1 β = ∑biαi , β = ∑biαi , ..., β = ∑biαi . i=0 i=0 i=0

Since the subset of elements {α0, α1, ..., αn−1} is a basis, the system of equations, rewritten as a vector equation

n−1 (β, β q , ..., β q )= Ab .

has a unique solution b = (b0,b1,...,bn−1). This implies that the matrix A is nonsingular. Conversely, if the matrix A is nonsingular, then the above system of equations has a unique ∈ solution. This in turn implies that each β Fqn has a unique representation as a linear

combination β = b0α0 + b1α1 + ⋅⋅⋅ + bn−1αn−1, bi ∈ Fq, so {α0, α1, ..., αn−1} is a basis. 

Lemma 1.5. (Basis lifting lemma) A basis {α0, α1, ..., αn−1} of Fqn over Fq is also a basis of

Fqnk over Fqk for all integers k such that gcd(k, n) = 1.

∈ Proof: Let a0, a1, ..., an−1 Fqk and consider the system of equations

a0 α0 + a1α1 + a2 α2 +  + an−1αn−1 = 0 qk qk qk qk a0 α0 + a1α1 + a2 α2 + + an−1αn−1= 0 q2k q2k q2k q2k a0 α0 + a1α1 + a2 α2 +  + an−1αn−1= 0 . . .

q(n−1 )k q(n−1 )k q(n−1 )k q(n−1 )k a0 α0 + a1α1 + a2 α2 +  + an−1αn−1 = 0

Since gcd(k, n) = 1, the map i → ik is a permutation of {0, 1, 2, ..., n−1} and the matrices

qi qik A = ( j ) and Ak = ( α j ) are just rows permutations of each other. Moreover, because the regular matrix representation A attached to this basis is nonsingular, it follows that the system of equations has only a trivial solution a = (a0,a1,...,an−1) = (0,0,...,0). This proves the linear independence of {α0, α1, ..., αn−1}  over Fqk .

The constraint gcd(k, n) = 1 ensures that the subset {α0, α1, ..., αn−1} remains linear independent ∉ , ≤ over the larger ground field Fqk and that αi Fqk 0 i < n.

∈ Example 1.6. Let n = 5, q = 2 and let Fq5 = { a0α0 + a1α1 + a2α2 +a3α3 +a4α4 : ai Fq }. Since gcd(5, k) = 1, for k = 1, 2, 3, and 4, the basis {α0, α1, α2, α3, α4} can (be lifted to) a basis of the finite fields

⋅ ⋅ ⋅ , … Fq5 over Fq , Fq5 2 over Fq2 , Fq5 3 over Fq3 , and Fq5 4 over Fq4 et cetera. For k = 2, the permutation π is given by (0, 1, 2, 3, 4) → (π(0), π(1), π(2), π(3), π(4)) = (0, 2, 4, 1, 3), and the matrices are

 α0 α1 α2 α3 α4   α0 α1 α2 α3 α4      q q q q q 2 2 2 2 2  α0 α1 α2 α1 α4   q q q q q     α0 α1 α2 α3 α4  2 2 2 2 2  q q q q q   4 4 4 4 4  A = α0 α1 α2 α3 α4 and = q q q q q .   A2  α0 α1 α2 α3 α4 

 q3 q3 q3 q3 q3   q q q q q   α0 α1 α2 α3 α4   α0 α1 α2 α1 α4      q4 q4 q4 q4 q4 q3 q3 q3 q3 q3  α0 α1 α2 α3 α4   α0 α1 α2 α3 α4 

to Lifting a basis changes both the field extension from Fqn Fqdn and the ground field from Fq to ≥ Fqd , d 1. A related notion is that of a complete basis. In this situation the field extension Fqn

remains fixed but the ground field Fqd varies as d varies over the divisors d of n.

Definition 1.7. A basis {α0, α1, ..., αr−1} of Fqn over Fq is said to be a complete basis if is it a

basis for Fqn over Fqd for all divisors d of n.

Current research in complete bases is limited to completely normal bases, confer the chapter on normal bases for more details.

Theorem 1.8. (Iterated basis theorem) Let {α0, α1, ..., αr−1} and {β0, β1, ..., βs−1} be a pair of

bases of Fqr and Fqs over Fq respectively. Then {α0β0, α0β1, .., αr−1βs−1} is a basis of Fqrs over Fq.

Proof: Suppose the set {α0β0, α0β1, ..., αr−1βs−1} of n = rs elements is linearly dependent over Fq (not a basis), then there exists a nontrivial vector (ai,j) ≠ (0, ..., 0), 0 < i, j < n, such that

r−1 s−1 s−1  r−1  ∑∑ ai, j αi β j = ∑∑ ai, j αi β j i=0 j=0 j=0  i=0 

r−1  s−1  =   = ∑∑ ai, j β j αi 0. i=0  j=0 

But {α0, α1, ..., αr−1} and {β0, β1, ..., βs−1} are both linearly independent over Fq, so the inner sums satisfy both

r−1 s−1 ∑ai,j αi = 0 and ∑ai, j β j = 0 i=0 j=0

simultaneously; which implies that (ai,j) = 0 for all pairs (i, j). This contradict the existence of the nontrivial vector (ai,j) ≠ (0,0,..,0). The converse is also easy to verify. 

∈ Lemma 1.9. Let {α0, α1, ..., αn−1} be a basis of Fqn over Fq. Then there exists an element αi

{α0, α1, ..., αn−1} such that Tr(αi) ≠ 0.

Proof: Suppose {α0, α1, ..., αn−1} is a basis, and Tr(αi) = 0 for all i ∈ {0, 1, 2, ..., n−1}. Then Tr(α) ⋅⋅⋅ ⋅⋅⋅ ∈ = a0Tr(α0) + a1Tr(α1) + + an−1Tr(αn−1) = 0 for all α = a0α0 + a1α1 + + an−1αn−1 Fqn . But this contradicts the fact that any finite field has elements of arbitrary traces. In fact, for any fixed a ∈ n−1  Fq, the equation Tr(α) = a has q distinct solutions in Fqn .

1.3 The Discriminants of Bases

The theory of discriminant of bases of finite fields is essentially the same as its counterpart in Algebraic Number Theory.

× Definition 1.10. Let {α0, α1, ..., αn−1} be a subset of Fqn and let T be the n n matrix ( Tr(αiαj) ),

called the trace matrix representation of the subset { αi }. The discriminant of this subset is defined by the determinant disc({αi}) = det(T) of the matrix T.

Theorem 1.11. The subset of elements {α0, α1, ..., αn−1} constitutes a basis of Fqn over Fq if and only if det(T) ≠ 0.

The proof of this result is fairly standard linear algebra, see [1, Lidl et al, p. 61.]. Under certain i qi condition the regular matrix representation A = ( σ ( α j ) ) = ( α j ) , and the trace matrix 2 representation T = ( Tr(αiαj) ) satisfy the relation det(A) = det(T). Accordingly, either of the inequalities det(A) ≠ 0 or det(T) ≠ 0 implies that {α0, α1, ..., αn-1} is a basis.

2 Lemma 1.12. Suppose {α0, α1, ..., αn−1} is a subset of conjugate elements, then det(T) = det(A) .

k Proof: Since the elements αi are conjugates and the maps σ are automorphisms, the expression k k i k σ (αiαj) = αi+kσ (αj). Hence the (i, j)th entry in the matrix product A⋅A = ( σ (αk) )⋅( σ (αj) ) is

n−1 n−1 i k k ∑σ (α k )σ (α j ) = ∑α i+kσ (α j ) k =0 k =0 n−1 k = ∑σ (α iα j ) = Tr(α iα j ). k =0

Quod erat demostrandum. 

Theorem 1.13. Let {α0, α1, ..., αn−1} and {β0, β1, ..., βn−1} be a pair of bases of Fqn over Fq. Then 2 disc({ βi }) = D disc({ αi }), some 0 ≠ D ∈ Fq.

Proof: Let n = 2, (it simplifies the argument and there is no loss in generality), and let Gal( Fq2 2 / σ σ × Fq) = { , } be the group of automorphisms of Fq2 . Since each pair is a basis, there is a 2 2 nonsingular matrix such that

β0 = aα0 + bα1, β1 = cα0 + dα1.

i Therefore the matrix B = ( σ (βj) ) attached to the set { β1, β0 } is

σ (β ) σ 2 (β ) aσ (α ) + bσ (α ) aσ 2 (α ) + bσ 2 (α ) 0 0 = 0 1 0 1  2   2 2  σ (β1 ) σ (β1 ) cσ (α0 ) + dσ (α1 ) cσ (α0 ) + dσ (α1 )

a bσ (α ) σ 2 (α ) = 0 0   2 . c d σ (α1 ) σ (α1 )

Taking determinants in both sides yields the claim, with D = ad − bc ≠ 0. 

The discriminant function induces an equivalence relation on the set ℬ = { Bases of Fqn over Fq }. One of the equivalence classes consists of all bases which have equal discriminant or are the same up to a linear transformation L of determinant det(L) = 1; these bases are referred to as integral bases in Algebraic Number Theory.

The discriminant disc({αi}) of the power basis {1, α, α2, ..., αn−1} coincides with the discriminant of the minimal (characteristic) polynomial of α, . Two well known formulae are presented now.

i Theorem 1.14. Let α be a root of f(x) ∈ Fq[x]. Then the discriminant disc({α }) of the power basis {1, α, α2, ..., αn−1} is given by

i j 2 ( 1 ) disc({α i }) = ∏ (α q −α q ) . o ≤ i < j < n ( 2 ) disc({αi}) = (−1)n(n−1)/2N(f′(α)),

→ ′ where N : Fqn Fq is the norm, and f (x) is the derivative of f(x). . i j Proof: Let α0, α1, ..., αn−1 be the roots of f(x). Then the matrix A = ( σ (α ) ) is a van der Monde T i 2 matrix, and the matrix T = ( Tr(αiαj) ) = AA , so the discriminant disc({α }) = det (A) is formula n−1 ′ (1) above. Since there are n(n − 1)/2 ways of choosing a pair αi, αj , and f (α i ) = ∏(α i −α j ) , i≠ j=0 the product of the indexed derivatives leads to

n−1 n−1 n−1 ′ n(n−1) / 2 2 ∏ f (α i ) = ∏ ∏(α i −α j ) = (−1) ∏(α i −α j ) . i=0 i=0 i≠ j=0 0≤i< j

Similarly

n−1 n−1 ′ i ′ ′ ∏ f (α i ) = ∏σ ( f (α)) = N( f (α)) , i=0 i=0 where σi is an automorphism. These complete the proofs. 

It is easy to verify that the matrix T = ( Tr(αiαj) ) is a bilinear form over Fq, and for odd prime powers q = pt, it can be classified as one of two types: It can be either a matrix whose determinant det(T) is a (square) quadratic residue or it can be a matrix whose determinant det(T) is a (nonsquare) nonquadratic residue, both in Fq.

Lemma 1.15. (Artin 1957) Let q be an odd prime power, then there are exactly two equivalence classes of nondegenerate symmetric linear forms on an n-dimensional vector space over Fq represented by the identity matrix In = diag(111,…,1) and the diagonal matrix V = diag(1,1,1,...,v), where v ∈ Fq is a nonsquare.

This property of the matrix T is employed in [2, Jungnickel et al.] to simplify the proof of the self-dual basis theorem. The more general T = ( Tr(αiβj) ) attached to a pair of subsets {α0, α1, ..., αn−1} and {β0, β1, ..., βn−1} also lends itself for the investigation of dual properties of these subsets.

Abel’s formula in finite characteristic is a relationship between the determinant of the regular matrix representation A attached to a subset of the elements{αn−1, …, α1, α0}and the coefficients of the minimal linear polynomial of the subset of the elements. The case n = 2 involves a second order linear differential equation

q2 q a2 x + a1 x + a0 x = 0 , a2a0 ≠ 0.

The solution space is spanned by any two roots {α1, α0} of the linear polynomial. Thus

2 q q α 0 + b1α 0 + b0α 0 = 0 2 q q α1 + b1α1 + b0α1 = 0,

where b1 = a1a2, b0 = a0a2. Adding multiples of the two previous equations result in

2 2 q q q q q q (α1 α 0 −α 0 α1 )+ b0 (α1α 0 −α 0α1 ) = 0 .

q This is equivalent to a1D − a0D = 0, where

α 0 α1  D = det q q  . α 0 α1 

Additional details appear in [1, Goss, p. 22], and the general case is as follows.

n qi Lemma 1.16. Let {αn−1, …, α1, α0} be any n roots of the linear polynomial f (x) = ∑ ai x , i=0 q n+1 and let D = det(A). Then anD + (−1) a0D = 0.

Proof: Let ana0 ≠ 0, otherwise the subset is linearly dependent, and let

q q q  α 0 α1  α n−1  α 0 α1  α n−1   q q q   2 2 2  α α  α α q α q  α q A =  0 1 n−1  and Aq =  0 1 n−1  .              n−1 n−1 n−1   n n n  α q α q  α q q q q  0 1 n−1  α 0 α1  α n−1 

n−1 qn q j q Replacing α i = −∑ a jα i in the matrix A , and simplifying the determinant proves the claim. j=0 

1.4 Distribution of Bases

There is a close link between the numbers of various types of bases of Fqn over Fq and the size of

various subgroups of the general linear group GLn(Fq) of n×n nonsingular matrices over Fq. The . A GLn(Fq)-orbit of any basis contains every bases of the vector space Fqn s the matrix A = ( ai,j ) varies in GLn(Fq), the change of basis αi → βi given by

β0 = a0,0α0 + a0,1α1 + a0,2α2 + ⋅⋅⋅ + a0,n−1αn−1, β1 = a1,0α0 + a1,1α1 + a1,2α2 + ⋅⋅⋅ + a1,n−1αn−1, β2 = a2,0α0 + a2,1α1 + a2,2α2 + ⋅⋅⋅ + a2,n−1αn−1, … βn-1 = an−1,0α0 + an−1,1α1 + an−1,2α2 + ⋅⋅⋅ + an−1,n−1αn−1,

varies over all the bases of Fqn . Other relationships similar to this will appear in the investigation of bases. The precise statement about the size of the collection of bases is given below.

Lemma 1.17. The vector space Fqn over Fq has a total number of

n−1 n n i n(n−1) / 2 i Bq (n) = ∏(q − q ) = q ∏(q −1) i=0 i=1

distinct ordered bases.

Proof: The GLn(Fq)-orbit of a single basis consists of all the bases of Fqn over Fq. Thus Bq(n) =

#GLn(Fq). 

The number of bases Fqn over Fq grows exponentially as a function of n, and very quickly n n2 −i becomes unmanageable. From Bq (n) = q ∏(1− q ), it is clear that the estimates i=1 n(n−1) n2 q < Bq (n) < q

holds for all pairs (n, q). For tabulation purpose, it is more convenient to consider the number of unordered bases, which is given by Bq(n)/n!.

1.5 Dual Bases

∈ Definition 1.18. Let x, y Fqn be a pair of vectors and let μ be a fixed element. The trace inner product of x and y is defined as the trace Tr(μxy) of the triple product of x, y, and μ. Two distinct elements are said to be trace orthogonal if Tr(μxy) = 0 in Fq.

Definition 1.19. A pair of bases {α0, α1, ..., αn−1} and {β0, β1, ..., βn−1} of Fqn over Fq are said to be dual bases if the trace orthogonal relation

 ci if i = j, Tr(µα i β j ) =   0 if i ≠ j,

∈ holds for some fixed μ Fqn , (note that Tr(μαißi) = ( ciδij ) is a diagonal matrix).

The special case Tr(αißi) = δi,j is referred to as dual bases. Moreover, if αi = βi the basis is called a self-dual basis. This corresponds to the simplest linear functional Tr((µαißi) = ci δi,j, with the parameters μ = 1, and c0 = c1 = ⋅⋅⋅ = cn−1 = 1.

The notion of dual bases is analogous to the notion of orthonormal bases in vector spaces over ∈ complex numbers ℂ. If the two elements x, y Fqn are written in terms of a pair of dual bases

{α0, α1, ..., αn−1} and {β0, β1, ..., βn−1} as x = x0α0 + x1α1 + ⋅⋅⋅ + xn−1αn−1 and y = y0β0 + y1β1 + ⋅⋅⋅ + yn−1βn−1, xi, yi ∈ Fq, then the trace inner product is given by

(x, y) = Tr(xy) = x0y0 + x1y1 + ⋅⋅⋅ + xn−1yn−1.

This is analogous to the standard inner product in vector spaces over the complex numbers ℂ with respect to orthonormal bases.

∈ It is a simple matter to demonstrate that any finite field has a pair of dual bases. If x Fqn and

{α0, α1, ..., αn−1} is a basis, write x = x0α0 + x1α1 + ⋅⋅⋅ + xn−1αn−1 = c0(x)α0 + c1(x)α1 + ⋅⋅⋅ + cn−1(x)αn−1, where ci(x) = xi is the coefficient function with respect to this basis. The existence of the dual → basis {β0, β1, ..., βn−1} is a consequence of the fact that ci : Fqn Fq is a linear functional on Fqn

; and the fact that every linear functional on Fqn has a unique trace representation. It immediately ∈ follows that ci(x) = Tr(ßix) = ai for some unique βi Fqn . Specifically Tr(αiβj) = δi,j. Hence, the ⊂ subset {β0, β1, ..., βn−1} Fqn is a unique dual basis of {α0, α1, ..., αn−1}. The previous observations proves the following.

Theorem 1.20. (Dual basis theorem) Every basis {α0, α1, ..., αn−1} of Fqn over Fq has a unique dual basis {β0, β1, ..., βn−1}.

∈ r ∈ s . r s Let n = rs, gcd(r, s) = 1, and let η Fq and θ Fq The projected traces of ηθ in Fq and Fq are the elements

Trn:r(ηθ) = ηTrn:r(θ) = ηTrs:1(θ), and

Trn:s(ηθ) = θTrn:s(η) = θTrr:1(η),

→ where Trab:b : Fqab Fqb is the relative trace function defined by

qb q2b q( a−1)b Trab:b (x) = x + x + x ++ x .

These relationships will be employed to establish the iterated trace orthogonal dual basis theorem.

Theorem 1.21. (Iterated trace orthogonal dual basis theorem) Let {α0, α1, ..., αr−1}, {β0, β1, ...,

βr−1} and {η0, η1, ..., ηs−1}, {θ0, θ1, ..., θs−1} be two pairs of dual bases of Fqr and Fqs over Fq ≤ ≤ respectively. Then {αiηj} and {βiθj}, 0 i < r, 0 j < s, is a pair of dual bases of Fqrs over Fq if and only if gcd(r, s) = 1.

Proof: By the iterated bases theorem it is known that {αiηj} and {βiθj} are both bases of Fqrs over

Fq. Moreover, by hypothesis {αi} and {βi} are dual bases of Fqr over Fq, or equivalently

(1) Trr:1(αiβj) = δi,j, and Trn:s(αiβj) = Trr:1(αiβj ), if and only if gcd(r, s) = 1. Similarly

(2) Trs:1(ηuθv) = δu,v, and Trn:r(ηuθv) = Trs:1(ηuθv). Now proceed to compute the dual basis relation:

Trrs:1(αiηuβjθv) = Trs:1(Trrs:s(αiηuβjθv) ) = Trs:1(ηuθvTrrs:s(αiβj)) = δi,jTrs:1(ηuθv) = δi,jδu,v .

Thus the matrix Trrs:1(αiηuβjθv) = δur+i,vr+j is the identity matrix. 

2 n−1 The power basis {1, α, α , ..., α } of Fqn over Fq, which corresponds to the standard basis of the

vector space Fqn , is the most common and widely used basis.

2 n−1 Theorem 1.22. (Power Dual Basis Theorem) Let {1, α, α , ..., α } be the power basis of Fqn n−1 over Fq and let f(x) = (x − α)(bn−1x + ⋅⋅⋅ + b1x + b0) ∈ Fq[x] be the minimum polynomial of α. Then the list of elements

b b b β = 0 , β = 1 , ..., β = n−1 0 f ' (α) 1 f ' (α) n−1 f ' (α)

forms a unique dual basis of the power basis over Fq.

Proof: The polynomial

j n−1 α iq f (x) g(x) = xi − , ∑ q j q j j=0 f '(α ) (x −α )

0 ≤ i < n, of degree deg(g(x)) < n has the same number of zeros as f(x), so g(x) = 0. Rewritten in term of the trace function this becomes

 α i f (x)   α i    =  n−1 ++ +  Tr  Tr(bn−1 x b1 x b0 )   f '(α) x −α   f '(α) 

n−1  α i  =   j = i ∑Tr b j x x . j=0  f '(α) 

Matching coefficients in both sides of the last equation returns

 b  α i j  = α i β = δ  Tr  Tr( j ) i, j .  f '(α) 

−1 i k k This proof uses the fact that the ring Fq[x ] is σ-invariant, namely, σ (x ) = x for all i, k ≥ 0; the i qi −1 other possible action of the automorphism σ (x) = x on Fq[x ] also works. The proof presented here is an adaptation to the structure of the roots of polynomials over finite fields. The more general version for separable extensions F(α) of arbitrary fields F is given in [1, Lange, p. 322]. A variation of this proof appears in [1, Menezes, p. 6].

4 3 2 Example 1.23. Let q = 2, n + 1 = 5, and let α be a root of f(x) = x + x + x + x + 1 ∈ F2[x]. Since 2 has order 4 modulo 5, f(x) is irreducible over F2, and

f(x) = x4 + x3 + x2 + x + 1 3 2 = (x − α)(b3x + b2x + b1x + b0) 4 3 2 = b3x + (αb3+b2)x + (αb2+b1)x + (αb1+b0)x + αb0.

Matching coefficients returns

−1 b0 = α , −2 −1 b1 = α + α , −3 −2 −1 b2 = α + α + α , −4 −3 −2 −1 b3 = α + α + α + α .

2 2 And f′(x) = x + 1, so 1/f′(α) = α + α. Hence the dual of the power basis is

−1 2 δ0 = b0/f′(α) = α (α + α) = α + 1, −2 −1 2 −1 δ1 = b1/f′(α) = (α + α )(α + α) = α + α , −3 −2 −1 2 −2 δ2 = b2/f′(α) = (α + α + α )(α + α) = α + α , −4 −3 −2 −1 2 −3 δ3 = b3/f′(α) = (α + α + α + α )(α + α) = α + α .

2 n−1 The calculations of the dual basis δ0, δ1, …, δn−1 of the power basis 1, α, α , ..., α for the parameters n + 1 = prime, and 2 of order n modulo n + 1, (f(x) is irreducible over F2), are similar to these.

Theorem 1.24. The finite field Fqn has a pair of self-dual bases for the following parameters. (1) q is an even prime power. (2) q is an odd prime power and n = 2k + 1.

Theorem 1.25. (Imamura 1983) The finite field Fqn has no self-dual power bases.

Proof: A self-dual power basis { 1, α, α2, ..., αn−1 } ⇒ Tr(1⋅α2) = 0 and Tr(α⋅α) = 1 simultaneously, which is a contradiction. 

Theorem 1.26. (Geiselmann, Gollmann 1993) The dual basis of the power (polynomial) basis 2 n−1 {1, α, α , ..., α } is a polynomial basis if and only if n ≢ 0 mod p, p being the characteristic of n − ∈ Fqn , and the minimal polynomial of α has the form f(x) = x c Fq[x].

Weakly Self-Dual Bases The matrix T = ( Tr(αiβj) ) attached to a pair of dual bases{α0, α1, ..., αn−1} and {β0, β1, ..., βn−1}

of Fqn over Fq is the identity matrix ( Tr(αiβj) ) = In in the general linear group GLn(Fq). But the

matrix T = ( Tr(αiβj) ) attached to a pair of trace orthogonal bases is a nonsingular diagonal matrix ( Tr(αiβj) ) = diag(c0,c1,...,cn−1). The result below extends the idea of trace orthogonal bases to allow monomial matrices, which are permutations of diagonal matrices.

Definition 1.27. A pair of bases{α0, α1, ..., αn−1} and {β0, β1, ..., βn−1} of Fqn over Fq are called ∈ ∈ weakly self-dual bases if there is an element t Fqn , c0, c1, ..., cn−1 Fq, and a permutation π(i) of {0, 1, 2, 3, .., n−1} such that βi = tciαπ(i), i = 0, 1, .., n − 1.

n Theorem 1.28. (Morgan et al, 1997) The finite field Fqn of q elements has a weakly self-dual n k basis if and only if there exists an irreducible polynomial f(x) = x − cx − d ∈ Fq[x], 0 < k < n. The permutation π of {0, 1, 2, 3, ..., n−1}is given by π(i) ≡ k − 1 − i mod n if c ≠ 0, and π(i) ≡ −1 − i mod n if c = 0.

The last result generalizes the work of [ Geiselmann ], which establishes it for the polynomial f(x) = xn − cxk − 1 or xn − d.

n A pair of dual bases permit a dual representations of the elements of Fq as

n−1 n−1 α = ∑Tr(αβ i )α i = ∑Tr(αα i )β i . i=0 i=0

Thus a conversion from one basis to the other basis involves the calculations of all the traces Tr(αβi) or Tr(ααi). On the other hand, a pair of weakly dual bases permit representations of the

elements of Fqn as

n−1 n−1 n−1 −1 α = ∑ xiα i = ∑ xπ (i)απ (i) = t ∑ci xπ (i) β i . i=0 i=0 i=0

Accordingly, a conversion from one basis to the other basis involves n multiplications in Fq, n permutations of the coefficients, and one inversion, (worst case). The multiplication complexity of weakly self dual bases is discussed in [1, Shparlinski, p.100].

1.6 Distribution of Dual Bases

For a pair of bases {α0, α1, ..., αn−1} and {ß0, ß1, ..., ßn−1} and a nonsingular matrix A = ( ai,j ) ∈ GLn(Fq), consider the linear expressions

n−1 αi = ∑ai, j β j j=0

and

n−1 βi = ∑ai, jα j . j=0

The trace inner product of the pair αi and ßj is given by

 n−1  n−1  Tr(αi β j ) = Tr∑ai,sα s ∑a j,t βt   s=0  t=0 

n−1 = ∑ai,sa j,tTr(α s βt ). s,t=0

Specializing this equation to dual basis, namely Tr(αißj) = δi,j, leads to the dual bases equation

n− 1

Tr(α i β j )= ∑ai , s a j , s . s = 0

This equation classifies the set of dual bases as the orbit of the orthogonal group On(Fq) = { A ∈ T GLn(Fq) : AA = In }. In particular, if a finite field Fqn has a self-dual basis {αi} (it occurs only

for certain combinations of n and q), then the orbit Orb({αi}) = { A{αi} : A ∈ On(Fq) } under the × group of all n n orthogonal matrices contains all the self-dual bases of Fqn over Fq.

Theorem 1.29. Let n > 1, and let q be a prime power, then there are

 n− 1  i  i  1 + ( −1 )   −   ≡ ∏ q   if q 0 mod 2  i =1   2   n− 1  i   i 1+ (−1)   −   ≡ SDq (n) = 2 ∏ q   if n , q 1 mod 2,  i =1   2   0 otherwise,  

distinct ordered self-dual bases of Fqn over Fq.

A derivation of this equation appears in [2, 3, 4, Jungnickel et al.]. The integer SDq(n) is precisely the size of the orthogonal group On(Fq) whenever SDq(n) ≠ 0, see the chapter on Structured Matrices.

In contrast to ordinary bases, self-dual bases are very rare. The ratio of the numbers of the self- dual bases to the numbers of ordinary bases is given by either

− n/2 1 SDq ( n )  n(n − 2)/4 2i+1  ≈  q ∏( q − 1 )  Bq ( n )  i =0 

or SDq(n)/Bq(n) = 0. This ratio rapidly vanishes as either n or q increases. Thus almost every basis of a finite field is a nonself-dual basis.

1.7 Polynomials Bases Polynomial bases of finite fields are constructed from polynomials with coefficients in the ground field. These bases are quite easy to find and very common in many applications. Let f(x) n ⋅⋅⋅ ∈ ≅ = x + + f1x + f0 Fq[x] be irreducible, and Fqn Fq[x]/(f(x)).

Definition 1.30. A subset of polynomials { pn−1(x), …, p1(x), p0(x) } is a basis of Fq[x]/(f(x)) if n−1 every a(x) = an−1x + ⋅⋅⋅ + a1x + a0 ∈ Fq[x]/(f(x)) has a unique representation as

a(x) = bn−1pn−1(x) + ⋅⋅⋅ + b1p1(x) + b0p0(x),

bi ∈ Fq. The basis is an ordered polynomial basis if deg(pi(x)) = i for i = 0, 1, 2, ..., n−1.

A large portion of the polynomial bases of Fqn are ordered polynomial bases up to a relabeling of

the indices, for instance, if deg(pi) ≠ i, then a permutation π produces deg(pπ(i)) = π(i). Another important class of polynomial bases is the class of equal degree polynomial bases, for these bases deg(pi(x)) = n − 1 for i = 0, 1, 2, ..., n−1.

i Example 1.31. (1) (Binomial Basis) The subset { pi(x) = (x − a) : i = 0,1,2,...,n−1 }, a ∈ Fq is an ordered polynomial basis. The ubiquitous polynomial basis { xn−1, ..., x, 1 } is the best known, and perhaps the most important ordered polynomial basis. Further, since

i  i i i   i − j j x = (x − a + a) =∑  a (x − a) , j=0  j

the matrix

i   = =   i− j  A (ai, j )  a   j 

is the corresponding change of basis matrix, (x − a)i → xi, provided n < p.

n n−1 i+1 (2) Let a(x) = x + an−1x + ⋅⋅⋅ + a1x + a0 ∈ Fq[x], and let pi(x) ≡ a(x) mod x , (0 ≤ i < n). Then p0(x), p1(x), ..., pn−1(x) is an ordered polynomial basis of Fq[x]/(f(x)), f(x) irreducible of degree deg(f) = n if and only if the condition an ⋅⋅⋅ a0a1 ≠ 0 holds.

(3) (Newton’s Basis) Let pi(x) = (x − ai)⋅⋅⋅(x − a1)(x − a0), ∈ Fq[x], ai ≠ aj, for i ≠ j. Then pn−1(x), ..., p1(x), p0(x), is an ordered polynomial basis of Fq[x]/(f(x)).

Lemma 1.32. The total number of ordered monic polynomial bases of Fqn over Fq is given by

n(n− 1)/2 q n/d Pq (n)= ∑ μ(d)q n d | n

i i−1 Proof: Clearly p0(x) = 1. Since for each i > 0, each pi(x) = x + ai−1x + ⋅⋅⋅ + a1x + a0 in an i ordered monic polynomial basis { p0(x), p1(x), ..., pn−1(x) } can be chosen in q different ways, 2 3 n−1 n(n−1)/2 there is a total of qq q ⋅⋅⋅ q = q subsets of the form {pi(x) : deg(pi) = i} ⊂ Fq[x]. Moreover, in order to have the operations of multiplication and division uniquely defined, a unique irreducible polynomial f(x) of degree n is required. And since there are precisely

1 n/d I n (q) = ∑ μ(d)q n d | n

such polynomials, the claim is proved. 

Remark: Each n-degree irreducible polynomial generates qn(n−1)/2 unique ordered monic

polynomial bases of Fqn over Fq, including the power basis. For all fixed pair (n, q) there are i precisely In(q) distinct power bases { pi(x) = x : i = 0,1,2,...,n−1 }.

Lemma 1.33. (Lagrange basis) Let xn−1, ..., x1, x0 ∈ Fq be distinct elements, and let f(x) ∈ Fq[x] be irreducible of degree n. Then

x − x j ( 1 ) The list of polynomials Li (x) = ∏ forms a unique equal degree polynomial basis of i≠ j xi − x j

Fq[x]/(f(x)), (deg(Li(x)) = n − 1). i ( 2 ) The matrix for the change of basis x → Li(x) is the Vandermonde matrix V = V(xn−1…x1x0). ( 3 ) The number of distinct Lagrange bases is

q(q −1)(q −1+ n) n / d Lq (n)= ∑ µ(d)q . n d | n

n−1 Proof: (2) Let a(x) = an−1x + ⋅⋅⋅ + a1x + a0 = bn−1Ln−1(x) + ⋅⋅⋅ + b1L1(x) + b0L0(x). Since Li(xj) = δi,j, the substitution x = xi returns a(xi) = bi, which leads to the vector equation b = Va, where b = (bn−1, …, b1, b0), and a = ⋅(an−1, …, a1, a0). 

Other varieties of polynomial bases of Fq[x]/(f(x)) besides the ordered and equal degree are also n−1 possible. For example, the list pn−1(x) = x , and

x − x j pi (x) = ∏ , (0≤ i < n − 1), i≠ j xi − x j where xn−2, ..., x1, x0 ∈ Fq are distinct elements, is a polynomial basis that is neither ordered nor equal degree.

k The σ -Bases and the Matrices Qk ∈ Let n, k > 0 be positive integers, and σ Gal( Fqn /Fq) be an automorphism of the n degree k ∈ extension Fqn of Fq. Consider the image σ ({αi}) = {ß0, ß1, ..., ßn−1} : i N} of the basis {α0, α1, k ∈ ..., αn−1} of Fqn over Fq, called a σ-set of the basis {α0, α1, ..., αn−1}. For example, fix a map σ k Gal( Fqn /Fq), then the σ -set of the basis {α0, α1, ..., αn−1} has the form

qk qk qk qk α0 , α1 , α 2 , ..., α n−1 where

k k σ (x) = xq , 0 ≤ k < n .

k k k Lemma 1.34. The σ-set { σ (α0), σ (α1), ..., σ (αn−1) } of a basis { α0, α1, ..., αn−1 } is a basis of ∈ Fqn over Fq for all σ Gal( Fqn /Fq).

k ∈ Proof: Let { α0, α1, ..., αn−1 } be a basis of Fqn over Fq, and choose a map σ Gal( Fqn /Fq).To show that the σk-set is a basis, it is sufficient to prove that if the linear combination

qk qk qk qk a0 0 + a1 1 + a2 2 + + an− 1 n−1=0 , then the coefficient vector a = (a0,a1,...,an−1) = (0,0,...,0). Suppose there exists a ≠ (0,0,...,0), and

k q qk qk qk 0 = a0 α0 + a1α1 + a2 α2 +  + an− 1αn−1 k  q = ( a0 α0 + a1α1 + a2 α2 + + an− 1αn−1 ) .

Then it follows that the set { α0, α1, ..., αn−1 } is linearly dependent over Fq, in contradiction of k  the fact that it is a basis. Therefore, the σ -set is a basis of Fqn over Fq.

The change of basis matrix Qk = ( ai,j ) defined by

n−1 iq j j x = ∑ ai, j x mod f(x) j=0 is associated with the change of σk-basis

k k k {1, x, x2 , ..., xn− 1 } → {x, xq , x2q , ..., x(n− 1)q } .

for the ring R = Fq[x]/(f(x)), where f(x) ∈ Fq[x] is a polynomial of degree n For an arbitrary f(x) the matrix Qk is not always invertible. However, if the polynomial f(x) is irreducible, the matrix Qk is nonsingular. Conversely if the matrix Qk is nonsingular then the polynomial f(x) is irreducible.

Remark: The matrix Q1 = ( ai,j ) is the one utilized in the Berlekamp polynomial factorization algorithm. This procedure takes advantage of the singularity/nonsingularity of the matrix Q1 to factor the polynomial f(x) or declares it irreducible, see [1, 2, 3 Berlekamp].

The system of equations

det(Q1) ≠ 0, det(Q) ≠ 0,

where the matrix Q = ( bi,j ) is defined by

n−1 qi j x = ∑bi, j x mod f(x) j=0

associated with the change of basis

2 n−1 {1, x, x2 , ..., xn− 1} → { x, xq , xq , ..., xq } ,

provides a deterministic test for normal polynomial f(x) but the calculation is extensive.

Chapter 2

Structured Matrices

2.1 Basic Concepts

The emphasis will be on the applications of linear algebra to bases of finite fields. Several important classes of matrices that are widely used in analysis of bases are introduced in this chapter. These matrices are employed in change of bases, and in determining the distributions of various types bases.

The set of all n×n matrices is denoted by ℳn(Fq) = { A = ( ai,j ) : 0 ≤ i, j < n, ai,j ∈ Fq }.

Let A = ( ai,j ), B = ( bi,j ) ∈ℳn(Fq). The sum and product of a pair of n×n matrices are defined by

( 1 ) A + B = ( ai,j + bi,j ), n−1 ( 2 ) AB = C = ( ci,j ), where ci, j = ∑ ai,k bk, j . k =0

The trace and determinant are the functions tr, det : ℳn(Fq) → Fq defined by

tr(A) = an−1,n−1 + ⋅⋅⋅ + a1,1 + a0,0

and

det(A) = ∑sgn(π )an−1,π (n−1) a1,π (1)a0,π (0) . π∈Sn

The summation index π runs through all the permutations of { 0, 1, 2, …, n−1 }, and sgn(π) = ±1 is the sign of the even/odd permutation. The trace and determinant satisfy the following properties.

( 1 ) tr(aA + bB) = atr(A) + btr(B), linearity, ( 2 ) tr(AB) = tr(BA), commutative, ( 3 ) tr(B−1AB) = tr(A), the trace is a class function, ( 4 ) det(aA) = andet(A), isogenous, ( 5 ) det(AB) = det(BA), commutative, ( 6 ) det(B−1AB) = det(A), the determinant is a class function.

T Another important map is the transpose function t : ℳn(Fq) → ℳn(Fq) given by A → A .

Transposition is an involution on ℳn(Fq). The subset of all symmetric matrices Symℳn(Fq) = T { A ∈ ℳn(Fq) : A = A } is the fixed subset of the transpose function.

The most common and widely used matrices in finite fields analysis are:

j ( 1 ) The Vandermonde matrix V = ( xi ), 0 ≤ i, j < n. q j ( 2 ) The regular matrix representation A = ( xi ), 0 ≤ i, j < n.

( 3 ) The trace matrix representation T = ( Tr(xixj) ), 0 ≤ i, j < n. ( 4 ) The circulant matrix C = circ[cn−1,…,c1,c0], ci ∈ Fq.

j n−1 The Vandermonde matrix V = ( xi ) arises in the polynomial f(x) = an−1x + ⋅⋅⋅ + a1x + a0 evaluation/interpolation problem at the n points xn, …, x1, x0. The regular matrix representation q j A = ( xi ) arises in the determination of the linear independence and other properties of a subset ⊂ of elements { xn, …, x1, x0 } Fqn . And the trace matrix representation T arises in the determination of the discriminants of bases, also linear independence. Last but not least the circulant matrices are essential in the analysis of normal bases. Most of these matrices are of the → ⊂ form Af = ( f(xi,xj) ), where f : Fqn Fq is a function and { xn, …, x1, x0 } Fqn is a subset of n points.

The regular matrix representation A is the σ-image of the Vandermonde matrix V. This is accomplished with the assignment

j j q j xi → σ (xi ) = xi .

The determinant of the first matrix V is quite simple. However, the image does not preserve the determinant. In fact the determinant of the matrix A is not so simple.

⊂ Theorem 2.1. Let { xn, …, x1, x0 } Fqn . Then

( 1 ) det(V ) = ∏(xi − x j ) 0≤i< j

Proof: The first appears in many publications, and for the second see [1, Lidl et al, p. 109]. 

The subset of nonsingular matrices GLn(Fq) = { A ∈ ℳn(Fq) : det(A) ≠ 0 } coincides with the

multiplicative group of ℳn(Fq), and SLn(Fq) = { A ∈ GLn(Fq) : det(A) = 1 } is one of the most

important subgroup of GLn(Fq).

Theorem 2.2. The cardinalities #GLn(Fq) and #SLn(Fq) of the sets of nonsingular matrices GLn(Fq) and SLn(Fq) are given by

n−1 n n i n(n−1) / 2 i ( 1) #GLn (Fq ) = ∏(q − q ) = q ∏(q −1) , i=0 i=1 n i ( 2) # SLn (Fq ) = ∏(q −1) . i=2

2.2 Circulant Matrices

The collection of circulant matrices is important and appear frequently in the analysis of normal bases in all characteristic. Only the essential details for application in finite characteristic will be considered here.

Definition 2.3. A circulant matrix, denoted by circ[cn−1…c1c0], is a matrix of the form

 c0 c1 c2  cn−1     cn−1 c0 c1 cn−2 

circ[cn−1...c1c0 ] = cn−2 cn−1 c0  cn−3  .             c1 c2 c3  c0 

Properties Of Circulant Matrices Let C = circ[cn−1,…,c1,c0], and D = circ[dn−1,…,d1,d0]. ( 1 ) C + D = circ[cn−1+dn−1,…,c1+d1,c0+d0]. ( 2 ) CD = DC, multiplication is commutative. ( 3 ) A matrix C is circulant if and only if CP = PC, where P = circ[0,1,…,0,0] = ( pi,j ), is a permutation matrix with

 1 if j − i ≡ 1 mod n, pi, j =   0 otherwise.

( 4 ) The inverse C−1 of a circulant C is a circulant matrix. −1 ( 5 ) Let C ∈ Cn(Fq) = { nonsingular circulant matrix }. Then the inverse of C is C = n n−1 circ[b0,bn−1,…,b2,b1], where a(x)(x − 1) + b(x)c(x) = 1, and b(x) = bn−1x + ⋅⋅⋅ + b1x + b0, c(x) = n−1 n −1 cn−1x + ⋅⋅⋅ + c1x + c0 ∈ Fq[x]/(x −1) are the polynomial representations of C and C respectively.

A wide range of algorithms for computing the inverse are available in the literature, see [1, Bini and Pan], p. ?, and check [2, Bini et al] for recent developments.

Let ℭn(Fq) = { Circulant Matrices } denotes the set of circulant matrices over Fq, and

consider the maps

n n−1 ( 1 ) μ : ℭn(Fq) → Fq[x]/(x −1), defined by ρ(cir[cn−1,…,c1,c0]) = c(x) = cn−1x + ⋅⋅⋅ + c1x + c0, circulant matrix to polynomial,

→ n− n−1 ⋅⋅⋅ ( 2 ) κ : Fqn Fq[x]/(x 1), defined by κ(η) = cη(x) = cn−1x + + c1x + c0, where

1+qi ci = Tr(η ) .

These maps are depicted in the commutative diagram below.

κ Fq [x] µ F n → → ℭn(Fq) q (x n −1)   

µ −1 Fq [x] κ −1 ℭn(Fq) → → F n (x n −1) q

Clearly μ, and κ are one to one and since all these subsets are finite, μ−1, and κ−1 exist. The map ρ n−1 κ ρ α α 1+q α 1+q α 2 ρ → = μ ⋄ , defined by ( ) = circ[Tr( ),...,Tr( ),Tr( )], is the representation : Fqn

ℭn(Fq) of the additive group Fqn in the matrix group ℭn(Fq).

n−1 Theorem 2.4. (Convolution Theorem) The map circ[cn−1,…,c1,c0] → c(x) = cn−1x + ⋅⋅⋅ + c1x n + c0 is a ring isomorphism, viz, ℭn(Fq) ≅ Fq[x]/(x −1).

Proof: The additive property is clear. To verify the multiplicative property, let A = circ[an−1,…,a1,a0], B = circ[bn−1,…,b1,b0], and μ(A) = a(x), μ(B) = b(x), now use direct calculations to check μ(AB) = μ(A)*μ(B), where the product a(x)*b(x) ≡ a(x)b(x) mod (xn − 1) is n the circular convolution of the polynomials a(x) and b(x) ∈ Fq[x]/(x −1). 

Another proof is via the correspondence xi → Pi, where P is a permutation matrix. A n generalization to c-circulant matrices and the polynomials ring Fq[x]/(x −c), 0 ≠ c ∈ Fq is described in [2, Pan, p. 134]. If c = −1, a c-circulant matrix is called anti-circulant. If n is even, then a circulant matrix decomposes as a direct sum n/2×n/2 circulant matrix and a n/2×n/2 anti- circulant matrix. An anti-circulant matrix has the form

 c0 − c1 − c2  − cn−1   −  −  cn−1 c0 c1 cn−2 

a circ[c − ...c c ] = c − c − c  − c −  n 1 1 0  n 2 n 1 0 n 3            c1 c2 c3  c0 

Fq [x] Fq [x] Thus the set of circulant matrices ℭn(Fq) ≅ ⊗ , see [id bid, p. 215]. (x n / 2 −1) (x n / 2 +1)

In [2, MacWilliams], and other authors, the isomorphism is continued to the direct product

F [x] F [x] F [x] F [x] F [x] q ≅ q ⊗ q ⊗ q ⊗⊗ q n v v v v (x −1) (x ±1) ( f1 (x) ) ( f 2 (x) ) ( f d (x) )

n v v v v where gcd(n, q) = v, and x −1 = (x ±1) f1 (x) f 2 (x)  f d (x) . This technique readily leads to the classification of two important subgroups of Cn(Fq):

T ( 1 ) The subset of symmetric circulant matrices SCn(Fq) = { C ∈ Cn(Fq) : C = C }.

T ( 2 ) The subset of orthogonal circulant matrices OCn(Fq) = { C ∈ Cn(Fq) : CC = In }.

T The transpose circ[cn−1,cn−2,…,c1,c0] = circ[c0,cn−1,…,c2,c1] of a circulant matrix corresponds to the reciprocal polynomial

* n n−1 n−2 c (x) = x c(1/x) = c0x + c1x + + cn−2x + cn−1

n−1 n of c(x) = cn−1x + ⋅⋅⋅ + c1x + c0 in Fq[x]/(x −1). Similarly, the symmetric circulant matrix

T circ[cn−1,…,c1,c0] = circ[cn−1,…,c1,c0]

corresponds to the self-reciprocal c(x) = c*(x), and the orthogonal circulant matrix cir[cn−1,…,c1,c0] such that

T cir[cn−1,…,c1,c0]cir[cn−1,…,c1,c0] = In

n * n corresponds to the polynomial c(x) ∈ Fq[x]/(x −1) such that c(x)c (x) ≡ 1 mod (x − 1).

These concepts are utilized to complete the enumeration of dual and self-dual normal bases.

The size #Cn(Fq) of Cn(Fq) determines the total number of normal bases up to a multiplicative factor 1/n. The size #SCn(Fq) of the subset of nonsingular circulant orthogonal matrices SCn(Fq) determines the totality of dual normal bases up to a multiplicative factor. And the size #OCn(Fq) of the subset OCn(Fq) ) = On(Fq) ∩ Cn(Fq) of nonsingular circulant orthogonal matrices over Fq determines the totality of self-dual normal bases up to a multiplicative factor. All these statistics are conditional on the existence of self-dual normal bases. The order of the subgroup OCn(Fq) = { Orthogonal Circulant Matrices } of GLn(Fq) is computed in [2, MacWilliams], and other.

n n e The reciprocal ordered factorization of x − 1 is the arrangement x − 1 = (x − 1)(x + 1) f1(x)⋅⋅⋅ ft(x)gt+1(x)⋅⋅⋅gu(x), where e = 1 if n is even, otherwise e = 0, fi(x) is self-reciprocal of degree deg(fi(x)) = 2ci, and gj(x) is not self-reciprocal of degree deg(gj(x)) = cj.⋅

Theorem 2.5. The cardinality #Cn(Fq) of the collection Cn(Fq) of nonsingular circulant matrices over Fq is as follows.

t u  2c d j 2 (q −1)∏(q i −1)∏(q −1) if gcd(n,q) = 1,  i=1 j=t+1  q (k −1)q #C (F ) if n = kq, gcd(k,q) = 1, and q ≠ 2, #Cn (Fq ) =  k q  (k +1) / 2 = = =  q #Ck (Fq ) if n kq 2k, and k odd,  k / 2 = = =  q #Ck (Fq ) if n kq 2k, and k even.

The formulae for the cardinalities of the various subgroups are simpler to derived whenever gcd(n, q) = 1. In this case the polynomial xn − 1 is separable:

n x − 1 = (x − 1)f1(x)f2(x)⋅⋅⋅fd(x) or (x − 1)(x + 1)f1(x)f2(x)⋅⋅⋅fd(x),

depending on whether n is odd or even, with fi(x) irreducible.

Theorem 2.6. The cardinality #SCn(Fq) of the collection SCn(Fq) of nonsingular symmetric circulant matrices over Fq is as follows.

 1 if q = 2, t u  δ c d j   (q −1) ∏(q i −1)∏(q −1) where δ = 1 if n = odd, # SCn (Fq ) =  i=1 j=t+1  ,  2 if n even,  (q−1)k / 2 = =  q # SCk (Fq ) if n kq, and gcd(k,q) 1.

Theorem 2.7. The cardinality #OCn(Fq) of the collection OCn(Fq) of nonsingular orthogonal circulant matrices over Fq is as follows.

 0 if q = 2, t u  δ c d j  2 ∏(q i +1)∏(q −1) where δ = 1 if n = odd, #OCn (Fq ) =  i=1 j=t+1   2 if n even,  (q−1)k / 2 = = q #OCk (Fq ) if n kq, gcd(k,q) 1.

Another approach to the calculation of the sizes of the various subgroups of Cn(Fq) uses only information about the degrees of the factors of xn − 1. The resulting formulae uses only integers arithmetics, confer [1, Byrd et al] for more details.

Theorem 2-8. Let F = ( ωij ) be the Fourier matrix of order n, where ω is a nth root of unity, 0 ≤ * i, j < n. Then F CF = diag(cn−1,…,c1,c0).

* * Proof: The matrix F is the complex conjugate of F, and F F = In. 

q−2 Theorem 2-9. (Konig and Rados) The polynomial f(x) = aq−2x + ⋅⋅⋅ + a1x + a0 ∈ Fq[x] has q − 1 − r distinct nonzero roots in Fq, where r is the rank of the circulant matrix C = circ[aq−2,…,a1,a0].

ij * Proof: Let ω be of order n = q − 1 in Fq, and F = ( ω ), 0 ≤ i, j < n. The triple product F CF = q−2 q−3 diag(f(ω ),f(ω ),…,f(ω),f(1)). Hence The rank of C is r = # { 0 ≠ x ∈ Fq : f(x) ≠ 0 }. 

This result, which is well known, counts the distinct nonzero roots of a polynomial f(x) of degree q−1 ≤ q − 2, or equivalently a polynomial from Fq[x]/(x −1). The count does not include the multiplicities.

n k Corollary 2.10. Let n ≥ 1, and k < m = q − 1. If the polynomial f(x) = akx + ⋅⋅⋅ + a1x + a0 ∈ Fq[x] has no root in Fq, then the m×m circulant matrix C = circ[am−1,…,a1,a0] is nonsingular for all n for which gcd(k, n) = 1.

Proof: The constraints f(x) ≠ 0 for all 0 ≠ x ∈ Fq, and gcd(k, n) = 1 ⇒ the polynomial f(x) has ≥ n −  no root in Fqn for all such n 1, so the rank of the matrix is q 1.

2 n Example 2.11. Let x + ax + b ∈ Fq[x] be irreducible, let n = 2v + 1, and 2 < m = q − 1. Then C = circ[am−1,…,a1,a0] is nonsingular for all n. This produces nonsingular circulant matrices of with 3 nonzero entries per rows and arbitrary dimensions m = qn − 1.

Theorem 2.12. The determinant of the circulant matrix C = circ[cn−1,…,c1,c0] is given by the formulae

c n + c n ++ c n − nc c c if n = 2d +1,  n−1 n−2 0 n−1 n−2 0 ( 1 ) det(C) =  n n n n cn−1 + cn−2 ++ c0 − (c2d c2d −2 c0 + c2d +1c2d −1 c1 ) if n = 2(d +1).  2

n−1 n n ( 2 ) det(C) = cn−1 ∏(α i −1) , i=0

n−1 n where αi are the roots of c(x) = cn−1x + ⋅⋅⋅ + c1x + c0 ∈ Fq[x]/(x −1),

n−1  n−1  =  θij  ( 3 ) det(C) ∏∑c j  , i=0  j=0 

where θ is a primitive nth root of unity.

Proof: Lines (2) and (3) are derived from the resultants, viz, equation (2) det(C) = R(c(x), xn−1), et cetera. 

Further simplification of det(C) is achieved if n ≡ 0 in Fq.

i The regular matrix representation A = ( σ (αj) ) of a subset of conjugate elements { αj } is a circulant matrix. In addition, if these elements are periods, then the determinant of this matrix can be evaluated in terms of gamma sums. The beta and gamma sums satisfy the properties

( 1 ) G(θs) = −1 if n divides s,

( 2 ) G(θs)2 = p if n does not divide s, G(θ s )G(θ t ) ( 3 ) B(s,t) = − , G(θ s+t )

n−1 where ηn−1, …, η1, η0 are periods of degree n, G(x) = ηn−1x + ⋅⋅⋅ + η1x + η0, B(s,t) = G(s)G(t)/G(st), and θ is a primitive root of unity.

Corollary 2.13. If p = kn + 1 is a prime, and ηn−1, …, η1, η0 are periods of degree n, then the (n−1)/2 determinant of C = circ[ηn−1,…,η1,η0] is det(C) = ±p . Proof: By the previous theorem

n−1 det(C) = ∏ G(θ s ) . s=0

And substituting the values of the gamma sum returns det(C)2 = pn−1. 

The concept of circulant matrix is extendable in several directions. One possibility is to consider a function f : Zn → Fq, and let the circulant matrix Cf = circ[f(n−1), …,f(1),f(0)]. Some of the functions widely used are characters of Fr, r a prime power. For an additive character ψ, the circulant matrix is given by

Q = (ψ (ij) ) = circ[[ψ(n−1),…, ψ(1), ψ(0)].

And for a multiplicative character χ, the circulant matrix is given by

R = ( χ(j−i) ) = circ[[χ(n−1),…,χ(1),χ(0)].

Lemma 1.14. Let χ be the quadratic symbol in Fr, and let n = r. Then ( 1 ) R is symmetric if r ≡ 1 mod 4, other wise it is skew symmetric, viz, R = −RT. ( 2 ) R is not invertible.

Proof: To see that R is singular, consider the assignment

R = circ[[χ(n−1),…,χ(1),χ(0)] → R(x) = χ(n−1)xn−1 + ⋅⋅⋅ + χ(1)x + χ(0).

Then R(1) = 0 ⇒ gcd(xn − 1, R(x) = (x − 1)f(x), some f(x). Thus R(x) is not invertible in n Fq[x]/(x −1). 

The class of circulant matrices R are used in the construction of other classes of structured matrices.

Definition 2.15. An n×n matrix A = ( ai,j ), ai,j ∈ { −1, 0, 1 } is a conference matrix provided T that ai,i = 0, AA = (n−1)In and n is even.

Lemma 2.116. Let r ≡ 1 mod 4, and let χ be the quadratic symbol in Fr. Then ( 1 ) The n×n matrix S = ( si,j ), where n = r + 1, and

1 if i = 0 or j = 0, and i ≠ j, si, j =   χ( j − i) otherwise,

is a nonsingular symmetric conference matrix. 1 ( 2 ) The matrix S is orthonormal. r ( 3 ) If the basis { αn−1, …, α1, α0 } is self-dual, then the change of basis

αi → βi = si,0α0 + si,1α1 + ⋅⋅⋅ + si,n−1αn−1

is also self-dual.

2 Proof: (1) The entry χ(i−j) = χ(j−i) since χ(−1) = 1 in Fr, so the matrix S is symmetric and S = rIr+1. 

Example 2.17. Let r = 4e + 1 and 2n + 1 = 2(r + 1) + 1 be primes. If q = 2 is of order 2n η ω ω−1 modulo 2n + 1, then the element = + generates a self-dual normal basis of F2n over F2, ≠ ω ∈ ωr where 1 F22n and = 1. Moreover since the matrix S is orthogonal in characteristic p = 2, the change of basis

q q2 qn−1 η → τ = s0,0η + s0,1η + s0,2η ++ s0,n−1η

2 2 n−1 n−1 = ω 2 + ω −2 + ω 2 + ω −2 ++ ω 2 + ω −2

is also a self-dual normal basis of F2n over F2. The first instance is for the parameters r = 5, n = r + 1 =6. The corresponding matrix is

 0 1 1 1 1 1   − −   1 0 1 1 1 1   1 1 0 1 −1 −1 S6 =   .  1 −1 1 0 1 −1  1 −1 −1 1 0 1     1 1 −1 −1 1 0 

2 2 5 5 Hence η = ω + ω−1 andτ = ω 2 + ω −2 + ω 2 + ω −2 +  + ω 2 + ω −2 generate self-dual normal bases of F25 over F2.

2.3 Triangular Matrices

Lemma 2.18. Let n > 1, and let q be a prime power. Then ( 1 ) The set of n×n upper triangular matrices Tn = { A = ( ai,j ) : ai,j = 0 for i > j } is a group. ( 2 ) The subset of n×n upper triangular matrices Tn(1) = { A ∈ Tn : ai,j = 1 } is a Sylow subgroup of GLn(Fq).

n n(n−1)/2 Proof: (2) The cardinality of the set Tn of falling diagonal matrices is # Tn = (q−1) q , but n(n−1)/2 the cardinality of the set Tn(1) of falling constant diagonal ai,i = 1 matrices is # Tn(1) = q . This proves the claim. 

The modification A → B = JnA, where Jn is the anti identity matrix, from a falling diagonal matrix to a rising diagonal matrix is used in finite fields multipliers. For n = 3, this has the form

a3 a2 a1  a3 a2 a1 0 0 1 a1 a2 a3    →    =    0 a3 a2   0 a3 a2 0 1 0 a2 a3 0  .       0 0 a3   0 0 a3 1 0 0 a3 0 0 

n n−1 The coefficients of a monic polynomial f(x) = anx + an−1x + ⋅⋅⋅ + a1x + a0 are utilized to construct the triangular matrix Cf = ( cij ) and its inverse D = ( dij ). The entries of these matrices are defined by

 ai+ j+1 if 0 ≤ i + j ≤ n −1,  0 if 0 ≤ i + j ≤ n −1, c =  and d =  i, j i, j ≤ + ≤ −  0 if n ≤ i + j ≤ 2n − 2,  bi+ j+1−n if n i j 2n 2, where n bk = ∑an−k+i bi . i=0

The subset of the matrices

 a1 a2 a3 . . . an     a2 a3 a4 . . . 0    C f =  ......     an−1 an 0 . . . 0     an 0 0 . . . 0 

does not have a group structure. The matrix Cf is a special case of a Bezout matrix, see [2, Pan, p. 156]. The determinant of a triangular matrix is a very simple expression, namely, det(Cf) = n −(an) = −1. The triangular change of basis is given by the formula

n−1 n−1−i βi = ∑ci,j α j = ∑ai+ j+1α j . j=0 j=0

Specifically, these equations are:

β0 = a1α0 + a2α1 + a3α2 + ⋅⋅⋅ + an−1αn−2 + anαn−1, an = 1, β1 = a2α0 + a3α1 + a3α2 + ⋅⋅⋅ + anαn−2, β2 = a3α0 + a4α1 + ⋅⋅⋅ + anαn−3, ⋅⋅⋅ βn−2 = an−1α0 + anα1, βn−1 = anα0.

The collection of rising diagonal triangular matrices Tn(2)defined by these polynomials is closely linked to the collection Tn(1). However it does not have a group structure, and since the polynomials are irreducible there are fewer matrices in Tn(2).

n k Example 2.19. The trinomial f(x) = x + x + 1 in Fq[x], the triangular change of basis is nearly a permutation of the power basis. As an instance, there is the sequence of irreducible 2 3 4 6 polynomials f2(x) = x + x + 1, f3(x) = x + x + 1, f4(x) = x + x + 1, f6(x) = x + x + 1, ..., in F2[x], and the corresponding sequence of matrices

1 0 0 0 1 1 0 0 1   1 0 1   0 0 0 1 0 1 1 0 0 1 0   = =   =   =   C1  , C3 0 1 0, C 4 , C6 0 0 1 0 0 , …. 1 0 0 1 0 0   1 0 0   0 1 0 0 0 1 0 0 0 1 0 0 0 0

2 n−1 In this case the change of basis from the power basis {1, α, α , ..., α } to triangular basis {β0, β1, β2, ..., βn−1} is simply

n−1 −1 n β0 = α + 1 = α , since α + α + 1 = 0, n−2 β1 = α , n−3 β2 = α , ⋅⋅⋅ βn−2 = α, βn−1 = 1.

n Comprehensive tables of the irreducible/primitive polynomials fn(x) = x + x + 1 ∈ F2[x] appear in [1, Zieler et al.], [1, 2, Zivkovic], and [2, Menezes, p. 158]. A list of primitive trinomials xn + k p x + 1 in F2[x] appears [2, Menezes, p. 161], and a table of trinomials whose degrees n = 2 − 1 are primes is given in [1, Kurita et al].

2k The next lemma indicates that if α is a root of an irreducible polynomial f2k(x) = x + x + 1 of n 2 even degree n = 2k in the sequence { irreducible fn(x) = x + x + 1 ∈ F2[x] }, then {1, α, α , ..., αn−1} and {αn−1+1, αn−1, αn−2, ..., α, 1} are dual bases.

Lemma 2.20. The power basis and the triangular basis are dual bases if and only if n is even n n−1 and the coefficients of the irreducible polynomial f(x) = anx + an−1x + ⋅⋅⋅ + a1x + a0 ∈ F2[x] satisfy

 1 if i = 1, ai =   0 if i is odd and 0 < i < n.

Proof: See [4, Hasan and Bhargava]. 

2.4 Hadamard Matrices In finite fields analysis the collection of Hadamard Matrices has many applications, one of them is the generation of dual bases in characteristic char(Fq) > 2, but not self-dual.

Definition 2.21. Let A and B be n×n and k×k matrices respectively. The tensor product A⊗B of A and B is defined by the kn×kn matrix A⊗B = ( ai,jB ).

Theorem 2.22 If A = ( ai,j ),and B = ( bi,j ) are matrices such that ai,j, bi,j ∈ { −1, 1 }, then the tensor product A⊗B = ( ci,j ), ci,j ∈ { −1, 1 }.

t Definition 2.23 A n×n matrix Hn = ( hi,j ), hi,j ∈ { −1, 1 }, such that HH = nIn is called a Hadamard matrix of order n.

The tensor product of two matrix Ak = ( ai,j ), and Bn = ( bi,j ) of orders k and n respectively yields a Hadamard matrix Hkn = ( hi,j ) = A⊗B of order kn. This simple mechanism is very useful in the construction of larger matrices and infinite sequences of these matrices.

The first is taken to be H1 = [ 1 ]. Repeatedly tensoring the trivial matrix H1 reproduces an infinite sequence of Hadamard matrices:

H 2k −1 H 2k −1  = − ⊗ − = H 2k H 2k 1 H 2k 1   , − − − H 2k 1 H 2k 1 

of order n = 2k, k ≥ 0. The first two are 1 1 1 1  1 1   − −  1 1 1 1  H 2 = H1 ⊗ H1 =  , and H 2 = H 2 ⊗ H 2 = . 1 −1 2 1 1 −1 −1 1 −1 −1 1 

The apparatus for producing other well known infinite sequences of Hadamard matrices is stated below.

Theorem 2.24. (Paley 1933) If q is a prime power, then there is a Hadamard matrix of order n = 2e(q + 1), where e ≥ 0 such that n ≡ 0 mod 4.

Proof: See [1, Beth et al., p. 55] or similar text.

The entries of the matrices specified above are as follow: For q ≡ 3 mod 4

1 if i = 0 or j = 0,  hi, j =  χ(j −1) if i ≠ j and 1 ≤ i,j ≤ q,   −1 if i = j and 1 ≤ i ≤ q.

And for q ≡ 1 mod 4,

1 if i = 0 or j = 0, and i ≠ j, hi, j =  χ(j −1) otherwise.

Theorem 2.25. If Hn = ( hi,j ) is a Hadamard matrix of order n, then ( 1 ) The integer n = 1, 2, 12, or 4k, k ≥ 1. ( 2 ) The integer n = 2k, k ≥ 0. ( 3 ) The integer n = 2e(q + 1), where q is a prime power, and e ≥ 0 such that n ≡ 0 mod 4.

The form of the integer k in statement (1) above is not known. In other words, the converse n = 4k ⇒ there exists a Hadamard matrix of order n is not known. This is one of the main open problem in the theory of orthogonal arrays. n/2 Lemma 2.26. (Hadamard 1893) The determinant of the Hn isdet(Hn) = n .

Proof: The matrix Hn is the maximum (equality) of the determinant inequality

n−1 n−1 2 det(A) ≤ ∏ ∑ ai, j .  i=0 j=0

The only known circulant Hadamard matrix is

 1 1 1 −1   −1 1 1 1 H =   . 4 1 −1 1 1 1 −1 −1 1

The existence of other circulant Hadamard matrix is an open problem. However, it is known that the order of the next one is n ≥ 1898884.

2.5 Multiplication Tables

α ⋅⋅⋅ α α ∈ Let x = xn−1 n−1 + + x1 1 + x0 0, y Fqn . The multiplication matrix

 α 0α 0 α 0α1  α 0α n−1   α α α α  α α  M =  1 0 1 1 1 n−1          α n−1α 0 α n−1α 0  α n−1α n−1  extracted from the product

α   y   0   n−1  α    xy = (x ,..., x , x ) 1 (α ,α ,...,α ) . n−1 1 0   0 1 n−1  y     1   ′′    α n−1   y0 

2 The equivalent description as an n×n matrix T = ( ti,j,k ), where

n−1 α iα j = ∑ti, j,kα k , k =0

and ti,j,k ∈ Fq, is more useful.

There is practical interest in determining bases { αn−1,…,α1,α0 } with very sparse multiplication matrices. A sparse multiplication matrix M has low discrete weight w(M) = #{ ti,j,k ≠ 0 : 0 ≤ i,j,k

Definition 2.27. The complexity of multiplication with respect to the basis { αn−1,…,α1, α0 } of

Fqn over Fq, is defined by

1 C(n) = #{ t ≠ 0 : 0 ≤ i, j,k < n }. n i, j,k

2 The complexity of some highly structured n×n matrices M = [ M0 M1 ⋅⋅⋅ Mn−1 ], where Mi is an n×n matrix, reduces to w(M0) = #{ t0,j,k ≠ 0 : 0 ≤ j,k

n−1 qi q j qk η η = ∑ti, j,kη k =0 n−1 i q j −i qk = σ (ηη ) = ∑t0, j−i,kη . k =0

2 Thus a single submatrix T0 = (t0,j−i,k ) generates the entire n×n multiplication matrices T = [ T0 T1 ⋅⋅⋅ Tn−1 ].

Definition 2.28. Let A = ( ai,j ) be an n×n matrix. The weight and excess of A are defined by w(A) = #{ai,j ≠ 0} and e(A) = w(A) − n respectively.

Clearly, n ≤ w(A) ≤ n2, and 0 ≤ e(A) ≤ n2 − n. Efficient algorithms for self-dual bases multipliers demand change of bases (between the dual bases) matrices of nearly zero excess, see [4, Berlekamp], [1, Stinson], and [2, Morgan et al]. As far as multiplication algorithm based on self- dual bases is concerned, the ideal change of bases (between the dual bases) matrix M : A → B will be monomial matrix; permutations matrices are monomial matrices. Monomial matrices have excess e(M) = 0. Obviously, not all monomial matrices change of bases correspond to dual bases.

2 n−1 Let { δ0, δ1, …, δn−1 } be the dual basis of the power basis { 1, α, α , …, α }, and put δ t i n ni β = . Here the element α ∈ F n is a root f (x) = x + a x , and s = [t/2]. i ns q ∑ ni α f '(α) i=0

α ∈ Theorem 2.29. (Morgan et al, 1997) Suppose that the minimal polynomial of Fqn is t n ni f (x) = x + a x , 0 < n0 < n1 < ⋅⋅⋅ , nt. Then the change of basis matrix A : { αi } → { βi } ∑ ni i=0 has excess equal to

 t s−1  ∑ ni − ∑ ni t odd,  + = = e(A) = s 1 i 1 i  t s  n − n t even.  ∑ i ∑ i  s+1=i 1=i

Example 2.30. (1) The change of basis matrix A has excess e(A) = 0 if and only if either n k n f(x) = x + akx + a0 or x + a0 ∈ Fq[x], 0 < k < n. n k k−1 (2) The excess e(A) = 1 if and only if f(x) = x + akx + ak−1x + a0 ∈ Fq[x], 1 < k < n. n k k−1 k−2 n k (3) The excess e(A) = 2 if and only if either f(x) = x + akx + ak−1x + ak−2x + a0 or x + akx k−2 + ak−2x + a0 ∈ Fq[x], 2 < k < n.

Chapter 3

Normal Bases

3.1 Basic Concepts

An important collection of bases of finite fields is known as normal bases. Theses bases are of interest in both theory and applications. Normal bases are employed in factorization algorithms, [1, Niederreiter], cyclic codes, testing/signature analysis, [1, Hoffner et al.]. This chapter presents a variety of basic ideas and techniques applicable to normal bases.

Let G be a group and let S be a set. The G-orbit orb(x) of x ∈ S is defined by orb(x) = { ρ(x) : ρ ∈ G }. The structure and size of the orbit of a point or a subset of points depends on the group G. In particular, if G = Z is the set of integers, then the Z-orbit orb(α) = { αn : n ∈ Z } of the fixed ∈ 2 element α Fqn coincides with the cyclic group generated by α. But if G = Gal( Fqn /Fq) = { σ, σ , n−1 ∈ ..., σ } is the set of automorphisms of Fqn over Fq, then the G-orbit orb(α) = {σ(α) : σ Gal( ∈ Fqn /Fq)} of the element α Fqn coincides with the set

n−1 {α q , ..., α q , α }

of conjugates of α.

Definition 3.1. A basis N = { ηn−1,…, η1, η0 } of Fqn over Fq is said to be a normal basis if it is ∈ the orbit of some element η in Fqn , viz, N = orb(η) = { σ(η) : σ Gal( Fqn /Fq) }. A primitive normal basis is a basis generated by a primitive element η of Fqn .

∈ ∈ If the element η Fqn is normal, then each element α Fqn has an expansion of the form

qn−1 q α = an−1η ++ a1η + a0η

ai ∈ Fq.

Computational Properties Normal Bases ∈ ∈ Let η Fqn be a normal element, and let α, β Fqn . n−1 qi ( 1 ) α + β = ∑(ai + bi )η , i=0

n−1 qi ( 2 ) αβ = ∑ci (α, β,η)η , i=0

q qn−1 q ( 3 ) α = an−2η ++ a0η + an−1η ,

1/ q qn−1 q ( 4 ) α = a0η ++ a2η + a1η .

The coefficient function ci(α,β,η) for multiplication is completely and uniquely determined by η ∈ the element . Property (3) above states that computing the qth-power of α Fqn is equivalent to a left cyclic shift

(an−1, an−2, …,a1, a0) → (an−2, an−3, …,a0, an−1) of the coordinates of α with respect to a normal basis. The next property can be interpreted as a statement about the existence of qth root of elements of Fqn . A right cyclic shift of the coefficients

(an−1, an−2, …,a1, a0) → (a0, an−1, …, a2, a1)

th 2 computes the q root of any element of Fqn . In particular, in the field F2n , the square α of α is computed by a left cyclic shift of the coefficients of α with respect to a normal basis. And the square root is computed by a right cyclic shift of the coefficients.

The computational properties normal bases are the cornerstones of finite field multipliers, see [1, Geiselmann et al], [1, Hasan et al], [1, Itoh et al], et cetera.

Remark: A normal basis representation of F2n provides a trivial proof of a result in fields of characteristic char(F) = 2, which states that every element in the field is a square, so it has a square root.

3.2 Existence of Normal Bases

The vector space Fqn has the structure of a cyclic vector space. Accordingly all the tools of linear algebra applicable to cyclic vector spaces are available.

Lemma 3.2. Let A ∈ GLn(Fq) be a linear map on the vector space V. Then there exists a vector v such that { v, Av, A2v, A3v, ..., An−1v} is a basis of V if and only if the characteristic d polynomial c(x) = det(A − xIn) and the minimal polynomial f(x) = adx + ⋅⋅⋅ + a1x + a0 of A are identical.

Both the minimal polynomial f(x) of A and the characteristic polynomial c(x) annihilate the d linear map A, id est, the equation c(A) = f(A) = adA + ⋅⋅⋅ + a1A + a0 = 0. Furthermore, deg(f(x)) ≤ deg(c(x)). For application to finite fields, let v = η be a normal element and the linear map A = σ be the canonical automorphism. In this setting the subset { v, Av, A2v, ..., An−1v} = { η, ηq, ... } is precisely a normal basis.

Theorem 3.3. (Normal Basis Theorem). The vector space Fqn over Fq has a normal basis for all n ≥ 1.

Proof: This is a consequence of the previous lemma; see also [1 Lidl et al, p.60], [1, Waterhouse], [1, van der Waerden, p. 200-204].

The normal basis theorem was developed by at least three authors between 1850 to 1888, [1 Lidl et al, p.76].

Lemma 3.4. (Normal basis projection lemma) Suppose η generates a normal basis for Fqn over γ → Fq, and n = de. Then = Trn:d(η) generates a normal basis for Fqd over Fq, where Trn:d : Fqn

Fqd is the relative trace.

e−1 dj γ = η q Proof: Suppose that ∑ does not generate a normal basis of Fqd over Fq. Then j=0

qd −1 q an−1γ ++ a1γ + a0γ = 0

for some nontrivial vector (ad−1,…,a1,a0) ≠ (0,…,0,0). But this implies that

qi d −1 e−1 d −1 e−1  dj  dj +i  η q  = η q ∑ ai ∑  ∑∑ ai i=0  j=0  i=0 j=0 n−1 qk = ∑biη = 0 k =0

n−1 in contradiction of the linear independence of the subset { η q , ...,η q , η }. 

3.3 Iterative Construction of Normal Bases

The idea of iterative construction of normal bases is the synthesis of normal bases for Fqn from

the normal bases of the individual subfields of Fqn . Moreover, to construct the multiplication

table of Fqn , simply take the tensor product of the individual multiplication tables of the

subfields. The result below is the foundation of iterated construction of normal bases of Fqn over

Fq for composite degree n.

Lemma 3.5. (Semaev 1988) Let n = rs, gcd(r, s) = 1, and let { αn−1, …,α1, α0 } and{ ßn−1, …, ß1,

ß0 } be normal bases of Fqr and Fqs over Fq respectively. Then

( 1 ) The subset { αr−1βs−1, …, α0β1, α0β0 } is a normal basis of Fqn over Fq.

( 2 ) If R = (r ) and S = (s ) are the multiplication tables (submatrices) of F r and F s , i1 , j1 i2 , j2 q q

respectively, then T = ( ti,j ) = (r s ), where i1 , j1 i2 , j2

i s + i r j s + j r i ≡ 1 2 mod rs, j ≡ 1 2 mod rs, r + s r + s

≤ is the multiplication table (submatrix) of Fqn , with 0 i, j < n.

Proof: (1) Since gcd(r+s, rs) = 1, the composition map φ : Zr× Zs → Zrs defined by

xs + yr (x, y) → mod rs r + s

≡ σ ∈ is one-to-one. Put ηk = αiβj, k (is + jr)/(r + s) mod rs, and let Gal( Fqn /Fq). Then

d d σ (ηk) = σ (αiβj) = αi+dβj+d = ηk+d,

since k + d ≡ [(i+d)s + (j+d)r]/(r + s) mod rs. This implies that ηk is normal. n−1 (2) The entries of the matrix T = ( ti,j ) are defined by η0ηi = ∑ti, jη j . In addition j=0 η η = α β α β = α α β β . Hence 0 i 0 0 i1 i2 0 i1 0 i2

 r−1  s−1  η η =  r α  s β  0 i  ∑ i1 , j1 j1  ∑ i2 , j2 j2   j1 =0  j2 =0 

r−1 s−1 n−1 = r s α β = t η . ∑ ∑ i1 , j1 i2 , j2 j1 j2 ∑ i, j j j1 =0 j2 =0 j=0

These prove the claims about the subset { ηn−1, …, η1, η0 } = { αr−1βs−1, …, α0β1, α0β0 }. 

3.4 Additive Order and Decomposition Theorem

° × → The Fq–linear map : Fq[x] Fqn Fqn is defined by

qk q f (x) α = akα ++ a1α + a0α .

° The pairing (f(x), α) = f(x) α turns the additive group Fqn into a cyclic Fq[x]-module. And the

Fq[x]-module structure of the additive group Fqn induces the additive order of elements.

α ∈ Definition 3.6. The additive order Ord(α) of an element Fqn is the polynomial a(x) of least degree such that a(x)°α = 0 but a(x)°α ≠ 0 for all divisor b(x) of a(x).

The additive order Ord(α) = a(x) is always a divisor of xn − 1. Thus there is a monic polynomial n−1 of degree < n for which Ord(α) = an−1σ (α) + ⋅⋅⋅ + a1σ(α) + a0(α). The following identities are readily verified.

( 1 ) Ord(0) = 1, since a(x) = 1 is the divisor of xn − 1 of least degree such that a(x)°0 = 0, ( 2 ) Ord(α) = x − 1, since (x − 1)°α = 0 for all 0 ≠ α ∈ Fq, and n ( 3 ) Ord(α) = a1(x)a2(x) ⋅⋅⋅ ar(x), where Ord(αi) = ai(x) divides x − 1. ( 4 ) Ord(α+β) = Ord(α)Ord(β)/gcd(Ord(α),Ord(β)).

∈ n − Definition 3.7. An element η Fqn is a normal over Fq if and only if Ord(η) = x 1.

∈ Lemma 3.8. Let α Fqn . Then

( 1 ) The set Vα = { f(x)°α : f(x) ∈ Fq[x] } is a vector space of dimension deg(Ord(α)). ( 2 ) The set { α, σ(α), …, σn−1(α) } spans a vector space of dimension deg(Ord(α)).

The additive order characterization of elements leads straight to the standard normal test. The standard normal, which consists of a system of inequalities, is the additive version of the Lucas test for primitive elements in a cyclic group; all the intricacies of the multiplicative version come through mutatis mutandis..

∈ Theorem 3.9. (Standard Normal Test) An element η Fqn is a normal element over Fq if and only if the system of inequalities

x n −1 η ≠ 0 a(x)

n holds for all irreducible factors a(x) of x − 1 ∈ Fq[x] .

Proof: Let a(x) be an irreducible factor of xn − 1, and let a(x)v  xn − 1, but a(x)v+1 not a divisor

of xn − 1, v ≥ 0. Then the hypothesis [(xn − 1)/a(x)]°η ≠ 0 implies that the polynomial (xn − 1)/a(x) cannot annihilate η, so a(x)v must be a factor of the annihilator Ord(η) of η. Since the factor a(x) is arbitrary, the order Ord(η) of η is divisible by all divisors a(x)v of xn − 1. Specifically xn − 1  Ord(η). But by definition Ord(η)  xn − 1, so Ord(η) = xn − 1. 

n Lemma 3.10. Let η be a normal element in Fqn over Fq and let x - 1 = a(x)b(x). Then γ = ° b(x) η is an element of order Ord(γ) = a(x) in Fqn over Fq.

Proof: Same technique as above. 

The techniques employed in these proofs are extensively used in the literature, see [1, Schwarz], [1, von sur Gathen et al.], [1, Lenstra et al.], etc.

Example 3.11. For n = 3, there are two possibilities. ( 1 ) The case x3 − 1 = (x − 1)( x2 + x + 1) v ∈ Fq[x] if q ≡ 1 mod 3, (or q = 2 , v odd). The test has two inequalities:

x n −1 ( i ) η = Tr(η) ≠ 0 , x −1 x n −1 ( ii ) η = η q −η ≠ 0. x 2 + x +1

3 v ( 2 ) And the case x − 1 = (x − 1)(x − a)(x − b) ) ∈ Fq[x], if q ≡ 2 mod 3, (or q = 2 , v even). The test has three inequalities:

x n −1 ( i ) η = Tr(η) ≠ 0 , x −1 n x −1 2 ( ii ) η = η q − (b +1)η q + bη ≠ 0 , x − a n x −1 2 ( iii ) η = η q − (a +1)η q + aη ≠ 0 . x − b

η If any one of these systems of inequalities ( 1 ) or ( 2 ) holds, then the element is normal in Fq3

over Fq.

n − − ⋅⋅⋅ ∈ ° Let x 1 = (x 1)f1(x)f2(x) fk(x), gcd(fi(x)fj(x)) = 1, and let Vi = { α Fqn : fi(x) α = 0 } be a

cyclic submodule of the Fq[x]-module Fqn . Each Vi is an σ-invariant subspace of the vector − n − ∈ − ° space. Since x 1 divides x 1, the first submodule V0 = { α Fqn : (x 1) α = 0 } = Fq is common to all cases.

⊕ ⊕ ⋅⋅⋅ ⊕ Theorem 3.12. (Decomposition theorem) (1) The vector space Fqn = V0 V1 Vk. ∈ ⋅⋅⋅ ∈ (2) Every α Fqn has a unique decomposition as α = α0 + α1 + + αk, where αi Vi.

This is due to [1, Pencin],, and {1, Semaev]; see also [1, Menezes et al] for a proof. An element ∈ ⋅⋅⋅ η Fqn is a normal element over Fq if and only if the decomposition η = η0 + η1 + + ηk

satisfies ηi ≠ 0 for all i ≥ 0. The sum η = η0 + η1 + ⋅⋅⋅ + ηk of the generators of the cyclic

submodules Vi’s is a generator of the module Fqn , that is, η is a normal element in Fqn over Fq.

− ∈ − ≠ Lemma 3.13. Let ordn(q) = n 1, n prime, and let α Fqn Fq. Suppose that aTr(α) + bn 0, ∈ ≠ a, b Fq, a 0. Then η = aα + b is a normal element in Fqn .

n Proof: The multiplicative order ordn(q) = n − 1 implies that x − 1 = (x − 1)f1(x), where f1(x) is irreducible of degree n − 1, and the system of inequalities of the standard normal test has only two lines:

( i ) (x − 1)°η = ηq − η = (aα + b)q − (aα + b) = a(αq − α) ≠ 0,

( ii ) f1(x)°η = Tr(η) = aTr(α) + bn ≠ 0.

By hypothesis α ∉ Fq and aTr(α) + bn ≠ 0; so the test is valid. 

The situation describes in the previous lemma is the simplest decomposition possible, namely, ⊕ ⊕ − Fqn = V0 V1 = Fq Fqn Fq. Accordingly, a normal element is a sum of two elements η = η0 ≠ ∈ ∈ − + η1, such that 0 η0 Fq and η1 Fqn Fq.

3.5 Normal Tests

Other techniques for identifying normal elements are discussed in this section.

⊂ Let { ηn−1, …, η1, η0 } Fqn be a subset of conjugate elements. The regular matrix representation attached to this subset is given by

2 n-1  η ηq ηq . . . ηq   

 q 2 3   η ηq ηq . . . η    qi + j 2 3 4 N = (η )=  q q q . . . q   η η η η     ......    qn-1 η q qn-2  η η . . . η 

and the trace matrix representation is given by

i j T = (Tr(η q +q ))

A cursory observation reveals that these two matrices are symmetric.

Theorem 3.14. (Matrix Normal Test) A subset of conjugates { ηn−1, …, η1, η0 } elements is a

normal basis of Fqn over Fq if and only if the matrices N and T are nonsingular.

A few other normality tests are based on polynomials computations. The resultant of a pair of polynomials and the formula for the determinant of a circulant matrix will be employed to prove the next result, see the chapter on circulant matrices for more details.

n−1 ∈ η q η q η Theorem 3.15. (Gcd Normal Test) Let η Fqn . Then the conjugate set { , ..., , } of η

forms a normal basis of Fqn over Fq if and only if the polynomials

n−1 2 f(x) = xn − 1 and g(x) = η q x n−1 ++η q x 2 +η q x +η

≠ ∈ are relatively prime in Fqn [x], i.e., 0 gcd(f(x), g(x)) Fq.

Proof: Clearly N is a circulant matrix, so the determinant det(N) is equal to the resultant

n−1 R( f , g) = ±∏ g(θ i ), i=0

where θ is a root of f(x) = xn − 1. Moreover, R(f(x), g(x)) ≠ 0 if and only if f(x) and g(x) shares do not any roots in common, id est, gcd(f(x), g(x)) ≠ nonzero constant. This proves the claim. 

The core of this proof appears in [1, Davenport]; see also [1, Lidl and Niederreiter].

Each term g(ω) is an eigenvalue of the circulant matrix N. The first term g(1) in the product R(f,

i n g) = Πig(θ ) is just the trace Tr(η) = g(1) of the element η. If n is even then −1 is a root of x − 1, and the term g(−1) is equal to the alternating trace

n−1 2 Tr * (η) = (−1) n−1η q ++η q −η q +η

i * which is also a factor of R(f, g) = Πig(θ ), has the value Tr (η) = g(−1) ≠ 0. If the element η is a normal element and n is even then both the trace Tr(η) = g(1) and the alternating trace Tr*(η) = g(−1) have nonzero values.

3.6 Polynomial Representations

n The set of units in (the multiplicative group) the polynomials ring Fq[x]/(x −1) has many

properties in common with the set of normal bases of Fqn over Fq. This analogy provides a vehicle for deriving various properties of the set of normal bases.

→ n− The map κ : Fqn Fq[x]/(x 1) defined by

n−1 n−1 1+qi i i α → cα (x) = ∑Tr(α )x = ∑ci x . i=0 i=0

This map is of considerable importance in the investigation of dual normal bases and normal n polynomials of degree n in Fq[x]. The polynomial cα(x) ∈ Fq[x]/(x −1) is the polynomial α ∈ representation of the element Fqn .

n− Lemma 3.16. The additive groups Fqn and Fq[x]/(x 1) are isomorphic.

The relationship between the subset of normal elements of Fqn and the multiplicative group Un(q) n of Fq[x]/(x −1) is significant and intricate. The first idea consider the into property of the map under consideration.

Lemma 3.17. The correspondence α → cα(x) is an - to - one, a ≥ 1.

Since the correspondence η → c(x) is not one-to-one, the image of a subset of normal elements n is not necessarily a subgroup of the group of units of Fq[x]/(x −1).

−1 n Let the map τ : Fq(x) → Fq(x) be the involution τ(x) = x in the polynomials ring Fq[x]/(x −1). The self-reciprocal polynomials f(x) = f*(x), (1-cycles), are the fixed points of the involution τ, and the non self-reciprocal polynomials f(x) ≠ f*(x), (2-cycles), are mapped to their counterparts: f(x) → f*(x) → f(x). The map τ is very closely associated with the matrix transpose map t : T GLn(Fq) → GLn(Fq), given by A → A .

* The polynomial cα(x) = a(x)τ(a(x)), where τ(a(x)) = a (x) is the reciprocal polynomial of a(x) in n Fq[x]/(x −1), establishes a reversed correspondence between the normal element η and γ = −1 n−1 n a (x)°η. The coefficients of a(x) = an−1x + ⋅⋅⋅ + a1x + a0 ∈ Fq[x]/(x −1) are the coordinates of the expansion of η with respect to the normal element γ, that is,

qn−1 q2 q η = an−1γ ++ a2γ + a1γ + a0γ , −1 n−1 n and the coefficients of a (x) = bn−1x + ⋅⋅⋅ + b1x + b0 ∈ Fq[x]/(x −1) are the coordinates of the expansion of γ with respect to the normal element η, that is,

qn−1 q2 q γ = bn−1η ++ b2η + b1η + b0η .

ℑ ∈ The set of polynomials = { cα(x) : α Fqn } is not a subset of multiplicative group Un(q) of n− ℘ ∈ units in Fq[x]/(x 1), however the subset of polynomials = { cη(x) : η Fqn is normal } is

subset of Un(q).

Lemma 3.18. (Lacan et al. ) Suppose Fqn has at least one self-dual normal basis over Fq. Then the followings hold. ℘ ∈ ℜ ( 1 ) The sets of polynomials = { cη(x) : η Fqn is normal }, and = { cη(x) = a(x)τ(a(x)) } are equal. ℘ ∈ ( 2 ) The set of polynomials = { cη(x) : η Fqn is normal } is a multiplicative subgroup of the

group of units Un(q).

n−1 η q η q η Proof: (1) Assume there exists self-dual normal basis { , ..., , } of Fqn over Fq, and let

qn−1 q α = an−1η ++ a1η + a0η

Then using the self-dual basis relation Tr(ηiηj) = δi,j, it follows that

n−1 1+qi i cα (x) = ∑Tr(α )x i=0 n−1 n−1 n−1  j  j +i  =  η q  η q  i ∑Tr∑ a j ∑ a j x i=0  j=0  j=0  n−1  n−1  =   i = τ ∑∑ a j a j−i x a(x) (a(x)), i=0  j=0 

n−1 ⋅⋅⋅ ∈ where a(x) = an−1x + + a1x + a0. Ergo each α Fqn is mapped to a product a(x)τ(a(x). On the

n−1 η q η q η contrary, if there is no self-dual normal basis { , ..., , } of Fqn over Fq and sets of polynomials ℘ and ℜ are equal, then the polynomial a(x) = 1 ∈ ℜ, a(x)τ(a(x)) = 1, implies that

∈ ℘ cα(x) = 1 . This in turns implies the existence of a self-dual normal basis of Fqn of over Fq in contradiction of the hypothesis. (2) Again let assume that there is a self-dual normal basis generated by η. Then

n−1 qi +1 i cη (x) = ∑Tr(η )x = 1 i=0

∈ ℘ ∈ But since 1 = { cη(x) : η Fqn is normal } and cη(x) = a(x)τ(a(x)), a(x) is invertible in n− ∈ ℘ ∈ Fq[x]/(x 1), and 1 , it is also clear that every normal element η Fqn is mapped to an n invertible polynomial cη(x) in Fq[x]/(x −1). Thus the set ℘ is a group. Conversely, if there is no self-dual normal basis, then 1 ∉ ℘, so it is not a group. 

Ν ∈ ℘ Let = { normal bases of Fqn over Fq }, and let ker(κ) = { cη(x) : cα(x) = 1 } be the kernel −1 of the map κ(η) = cη(x). The inverse image κ (1) is the set of all self-dual normal bases of Fqn

over Fq, and the quotient G = Ν/ker(κ) is a group if ker(κ) ≠ ∅. Note that the subset n−1 {α, α q , ..., α q } ⊂ κ−1(1) if α generates a non self-dual normal basis.

Lemma 3.19. Let n = 2k + 1, and let q = 2. Then the quotient group G is a group of order

t u #G = ∏(2ci −1)∏(2di −1) . i=1 i=t+1

Proof: n odd implies the existence a self-dual normal basis, so ker(κ) ≠ ∅. Moreover, the ratio of the cardinalities of the multiplicative group Un and the kernel ker(κ) is

Φ(x n −1) t u = (q −1)∏(q ci −1)∏(q di −1), SDN n (q) i=1 i=t+1

see the sections on distributions of normal bases, and self-dual normal bases below for specific on the integers ci and di. 

n v Lemma 3.20. Let n be an odd integer, x − 1 = (x − 1)f1(x)f2(x) ⋅⋅⋅ fr−1(x), and q = 2 . Then n ( 1 ) The polynomial κ(η) = cη(x) = c(x) is a square in Fq[x]/(x −1) = Ar ⊕ ⋅⋅⋅ ⊕ A2 ⊕ A1, and c(x) = cr(x) ⊕ ⋅⋅⋅ ⊕ c2(x) ⊕ c1(x), where each ci(x) ≡ c(x) mod fi(x) is a square in Ai = Fq[x]/(fi(x)). ( 2 ) The inverse b(x) of the polynomial c(x) is given by

n−1 i 2 2uv−1 −1 b(x) = ∑bi x = c(x ) i=0

where u is the order of q modulo n.

Proof: See [3, Poli]. 

3.7 DUAL NORMAL BASES

All pairs of dual bases are linked via nonsingular matrices. Moreover if the bases are normal, then the normal bases change of bases matrices are circulants. To investigate the structure of the matrices in normal bases change of bases and the dual bases equation, let C = ( ci,j ) ∈ GLn(Fq) be a nonsingular matrix, and let.

n−1 q j δ i = ∑ci, jη j=0

define a change of basis.

Theorem 3.21. The basis { δn−1, …, δ1,δ0 } is a normal basis if and only if the matrix C is circulant.

Proof: Suppose that the matrix is circulant. Then C = cir[cn−1,…,c1,c0] = ( cj-i ), and

qi n−1 n−1 j  j −i  i δ = η q =  η q  = δ q i ∑c j−i ∑c j−i  0 . j=0  j=0 

Conversely, if the elements δn−1, …, δ1, δ0 are normal, and C = ( ci,j ) is a nonsingular matrix, let δ0, = δ, then

qi n−1 n−1 i  j  j δ q =  η q  = η q ∑c0, j  ∑c0, j−i .  j=0  j=0

Thus C = ( ci,j ) = ( cj−i ) is circulant. 

Lemma 3.22. The dual basis { δn−1, …, δ1,δ0 } of a normal basis { ηn−1, …, η1, η0 } is also a normal basis.

t Proof: Consider the dual bases matrix equation ND = In. Since regular representation matrix N t t t t t of a normal basis { η1, η2, ..., ηn } is a symmetric matrix, we have ND = N D = DN = D N = In. This implies that the regular representation matrix D of dual normal basis { δ1, δ2, ..., δn } is a symmetric matrix. But since the regular representation matrix of a basis is a symmetric matrix if and only if the basis is a normal basis, we conclude that D is also a normal basis. 

Naturally every element is a linear combination of the basis elements, but to give a specific linear combination corresponding to a given element is a different matter. In some cases this can n−1 be done. The coefficients of the inverse b(x) = bn−1x + ⋅⋅⋅ + b1x + b0 of the polynomial aη(x) = n−1 n an−1x + ⋅⋅⋅ + a1x + a0 ∈ Fq[x]/(x −1) are the coordinates of the dual δ of η with respect to the basis generated by η.

Theorem 3.23. (Gao 1994) Let { ηn−1, …, η1,η0 } be a normal basis of Fqn over Fq, and let a(x) n−1 = an−1x + ⋅⋅⋅ + a1x + a0 ∈ Fq[x], where ai = Tr(η0ηi). Then the generator of the dual basis { δn−1, n …, δ1, δ0 } is given by δ = bn−1ηn−1+ ⋅⋅⋅ + b1η1 + b0η0, where a(x)b(x) ≡ 1 mod (x −1).

n Proof: The product a(x)b(x) of a(x) and b(x) in Fq[x]/(x −1) is given by

n−1 n−1 i+ j n a(x)b(x) ≡ ∑∑ aib j x mod (x −1) i=0 j=0

n−1  n−1  ≡   i ∑∑ a j−ib j x , i=0  j=0 

where the inner sum is the circular convolution of the coordinates of a(x) and b(x). Moreover, the constraint a(x)b(x) ≡ 1 mod (xn − 1) implies

n−1 1 if i = 0, ∑ a j−ib j =  j=0  0 if i ≠ 0.

Evaluating the dual bases equation Tr(ηiδj) returns

j  n−1 q  i j i  k  Tr η q δ q = Trη q  b η q   ( )  ∑ k    k=0   n−1 qi qk + j = ∑bkTr(η η ) k=0 n−1 n−1 qk + j −i = ∑bkTr(ηη )= ∑ ak + j−ibk k=0 k =0

This is precisely the dual bases equation Tr(ηiδj) = δi,j. 

From this, it can be deduced that the two generators are equal, δ = η, if and only if the polynomial a(x) = b(x) = 1; so the basis { ηn−1, …, η1, η0 } is a self-dual basis whenever this occurs. Let

n−1 qi q j ηη = ∑ ai, jη . j=0

Theorem 3.24. The normal basis of Fqn over Fq generated by η is a self-dual normal basis if and 2 only if the matrix A = ( ai,j ) = ( aj−i ) is symmetric and Tr(η ) = 1.

Proof: See [3, Gieselmann and Gollmann]. 

3.8. Distribution Of Normal Bases

Lemma 3.25. (Perlis 1942) Let element η be a generator of a normal basis of finite field Fqn

over Fq, and let

qn−1 q2 q γ = cn−1η ++ c2η + c1η + c0η ,

∈ where ci Fq. Then the element γ is a generator of a normal basis of Fqn over Fq if an only if

n n−1 x − 1 and c(x) = cn−1x + ⋅⋅⋅ + c1x + c0

are relatively prime.

Proof: First observe that if the circulant matrix C = circ[cn−1,…,c1,c0] is invertible, then the conjugates of the element γ are linearly independent, so the only solution of the equation

qn−1 q2 q an−1γ ++ a2γ + a1γ + a0γ = 0

n−1 is the trivial solution a = (0,...,0,0). Conversely, if the subset { γ q , ..., γ q , γ } are linearly independent, then a = (0,...,0,0) is the only solution of the vector equation

 η  T    a0   c0 c1 c2 . . . cn− 1       q     η  a1  c1 c0 cn−1 . . . c2           q2  = a2  c2 c1 c0 . . . c3  η 0.              . . .             an−1   cn−1 cn−2 cn−3 . . . c0   qn−1   η 

This implies that C is invertible. To establish the correspondence gcd(c(x), xn−1) = 1 ⇐⇒ n−1 { γ q , ...,γ q , γ } is a basis, it is sufficient to work with the identification c(x) ⇐⇒ n * circ[cn−1,…,c1,c0] of the multiplicative groups isomorphism Fq[x]/(x −1) ≅ Cn(Fq). 

This result leads to an enumeration formula for the distribution of normal bases over Fq.

Theorem 3.26. The total number of normal bases of Fqn over Fq is given by

1 N (q) = Φ(x n −1) . n n

n n Proof: The quotient ring Fq[x]/(x −1) contains Φ(x −1) invertibles, which have a one to one

correspondence with the normal elements in Fqn , and each normal basis requires n conjugates normal elements. 

Example 3.27. Determine the number of ordinary bases of F215 over F2. 15 The factorization of the polynomial x − 1 over F2 is

15 2 4 3 2 4 3 4 2 x − 1 = (x − 1)(x + x + 1)(x + x + x + x + 1)(x + x + 1)(x + x + 1) ∈ F2[x].

The formula for the number of normal bases gives

1 N (q) = Φ(x15 −1) = 215 (1− 2−1 )(1− 2−2 )(1− 2−4 )3 = 625 15 15

normal bases over F2.

Computational techniques for evaluating Φ(xn−1) and other arithmetic functions are covered in the chapter on arithmetic functions.

The special case of n = pv, v ≥ 1, in characteristic p, has the polynomial xn − 1 = (x − 1)n, so Φ(xn−1) = qn−1(q − 1) independent of v ≥ 1.The number qn−1(q − 1) is the maximal number units n− ∈ or invertibles in Fq[x]/(x 1) possible. For example, if η Fqn is a fixed normal element over Fq, n−1 and c(x) = cn−1x + ⋅⋅⋅ + c1x + c0, then the element

qn−1 q2 q cn−1η ++ c2η + c1η + c0η

≠ n−1 ⋅⋅⋅ ∈ is a normal element in Fqn over Fq whenever c(0) 0, since c(x) = cn−1x + + c1x + c0 n Fq[x]/(x −1) is invertible whenever c(0) ≠ 0.

3.9 Distribution Of Self-Dual Normal Bases

n The existence of self-dual normal bases of F2n over F2 for q = 2 , and n odd, was recognized

about two decades ago. This follows from the uniqueness of dual bases pairs and the fact that the n− number Φ(x 1) of normal bases of F2n over F2 for odd n is an odd integer. In addition to extension of degree n = odd, some extension of degree n = even and q = 2v also have self-dual normal bases.

Theorem 3.28. The extension Fqn of Fq has a self-dual normal basis for the following parameters.

( 1 ) If and only if n is odd and q = pv is an odd prime power. ( 2 ) If and only if n ≠ 4k and q = 2v, v ≥ 1

Proof: The subfields of a field which has a self-dual normal basis also have self-dual normal bases, so it is sufficient to prove the nonexistence of self-dual normal basis of the two smaller subfields: ≠ ( 1 ) Fq2 over Fq in characteristic char(Fq) 2, and

( 2 ) Fq4 over Fq in characteristic char(Fq) = 2. η σ η ( 1 ) To verify this case, suppose that , ( ) is a self-dual normal basis of Fq2 over Fq, then

0 = Tr(ησ(η)) = 2ησ(η), which is a contradiction in characteristic char(Fq) ≠ 2.

η σ η σ2 η σ3 η ( 2 ) And to verify the other case, suppose , ( ), ( ), ( ) is a self-dual normal basis of Fq4

over Fq. Then

0 = Tr(ησ(η) = [η + σ2(η)][σ(η) +σ3(η)].

But η + σ2(η) = 0 or σ(η) +σ3(η) = 0 contradict the fact that η, σ(η), σ2(η),σ3(η) is basis. 

The approach taken here is treated in full generality in [1, Bayer et al, p.369.].

Example 3.29. Self-dual normal bases of extensions of F2. The first two extensions F4 = 2 2 3 2 2 2 F2[x]/(x +x+1) = { a1η + a0η : ai ∈ F2 } and F8 = F2[x]/(x +x +1) = { a2η + a1η + a0η : ai ∈ F2 2 3 2 } of F2, where η is a root of the normal polynomials x + x + 1 and x + x + 1 respectively, have 4 3 self-dual normal bases, but the next extension F16 = F2[x]/(x +x +1) of F2 does not have self- dual normal basis since n = 4. More generally, the sequence of finite fields

F24 , F28 , F212 , F216 , ..., F24k , ...,

k ≥ 1, do not have self-dual normal bases.

p v Example 3.30. Consider a root α of the irreducible polynomial f(x) = x − x − a ∈ Fq[x], q = p ,

p−1 and β ∈ Fq. Let η = (β − α) − 1, then the list of elements

p−1 2 η q , ..., η q , η q , η

is a self-dual normal basis of Fq p over Fq.

Now take an odd prime power q = pv and an odd integer n = 2k + 1 or q = 2v and an odd integer n ≠ 4k, for gcd(n, q) = 1, let

n * * * x − 1 = (x − 1)f1(x)f2(x) ⋅⋅⋅ ft(x)gt+1(x)gt+1 (x)gt+2(x)gt+2 (x) ⋅⋅⋅ gu(x)gu (x)

be the ordered reciprocal polynomial factorization. The irreducible factors fi(x) of even degree * deg(fi(x)) = 2ci are self-reciprocals, id est., fi(x) = fi (x), but the irreducible factors gi(x) of degree * deg(gi(x)) = di are not self-reciprocals, id est, gi(x) ≠ gi (x).

Theorem 3.31. The number of distinct self-dual normal bases of Fqn over Fq is given by

a t u  2 c d  ∏(q i +1)∏(q i −1) if gcd(n,q) = 1, SDN n (q) =  n i=1 i=t+1  −1+(q−1)(k +b) / 2  q SDN k (q) if n = kq.

where

0 if q = 2 and n ≠ 0mod 4, 1 if q = 2 and k ≡ 1mod 2, a =  and b =  1 if q ≡ 1mod 2, and n ≡ 1mod 2, 0 if q ≡ 1mod 2, and n ≡ 1mod 2.

These statistic are derived from cardinalities of the subset OCn(Fq) = On(Fq) ∩ Cn(Fq) of nonsingular circulant orthogonal matrices over Fq, see the chapter on structured matrices. A proof of the theorem is given in [2, Jungnickel et al].

Example 3.32. Determine the number of self-dual bases of finite field F215 over F2. 15 The ordered self-reciprocal factorization of the polynomial x − 1 over F2 is

15 * x − 1 = (x − 1)f1(x)f2(x)g2(x)g3 (x) 2 4 3 2 4 3 4 2 = (x − 1)(x + x + 1)(x + x + x + x + 1)(x + x + 1)(x + x + 1) ∈ F2[x].

Using the formula for the number of self-dual bases, to find that F215 has

1 SDN (q) = (2 +1)(22 +1)(24 −1) = 15 15 15

self-dual normal bases over F2.

Self-dual bases are of considerable interest in practical in finite field multipliers, see [4, Berlekamp], [3, Geiselmann et al], [1, Stinson] etc.

3.10. Formulae For Normal Elements/Polynomials

The general methods for constructing arbitrary normal elements and polynomials are not very practical. Any moderately large parameters n and q requires a significant amount of computations. However there are many specific cases, which are relatively easy to construct for specific parameters n and q.

Definition 3.33. A polynomial with linearly independent roots is called a normal polynomial.

The normal polynomial

n−1 N(x) = (x − g q )(x − g q )(x − g) ,

of degree n and parametized by g = g(rn−1,…, r1,r0), ri ∈ Fq, ranges though all the normal polynomials over Fq as the vector r = (rn−1,…, r1,r0 ) ranges over certain subset of vectors. This formula is the additive counterpart of the formula gv, gcd(v, p−1) = 1, for reproducing all the primitive roots modulo p from a single primitive root g.

This formula is practical for very small n, and it is illustrated here for n = 2. The derivations are given in [1, Nemoga et al, p.89].

Example 3.34. ( 1 ) If q = 2v, and x2 + ax + b is the initial normal polynomial, then the entire 2 collection of q(q − 1) /2 normal polynomials over Fq is reproduced by the formula

2 2 2 N(x) = x + a(r0 + r1 )x + b(r0 + r1 ) + r0r1a ,

q q 2 where ri ∈ Fq, and r0 ≠ r1. The generator g = r0(α + α ) + r1(α − α ), α +aα + b = 0.

( 2 ) If q ≠ 2v, and x2 +ax + b is the initial normal polynomial, then the entire collection of (q − 2 1) /2 normal polynomials over Fq is reproduced by the formula

2 2 2 2 2 N(x) = x + 2ar0 x + b r0 − r1 (a − 4b) ,

where ri ∈ Fq, and r0r1 ≠ 0.

An effective deterministic algorithm for constructing normal elements is developed in [2, Poli]. This algorithm is also based on the factorization of the polynomial xn − 1, and the standard normal test.

Other Generators Of Normal Bases Several techniques for generating normal elements are explored in this section.

The list of polynomials

f (x) ei (x) = i i (x −α q ) f (α q )

is an idempotent basis of the quotient ring Fq[x]/(f(x)). Specifically, 2 ( 1 ) (ei(x)) ≡ ei(x) mod f(x) ( 2 ) ei(x)ej(x) ≡ 0 mod f(x), i ≠ j, and ( 3 ) en−1(x) + ⋅⋅⋅ + e1(x) + e0(x) ≡ 1.

Theorem 3.35. (Artin 1966) Let α be a root of the irreducible polynomial f(x) of degree n over ∈ Fq, and let β Fqn .Then the element e(ß) = e0(β) generates a normal basis of Fqn over Fq for at 2 least q − n(n − 1) distinct β ∈ Fq, q > n .

Proof: Consider the subset { ei(x) : 0 ≤ i < n } of polynomials of degree deg(ei) = i < n, and the matrix E(x) = ( ei(x)ej(x) ). From the properties of the polynomials ei(x) it follows that the matrix E(x) = ( ei(x)ej(x) ) = diag(en−1(x),…,e1(x), e0(x) ), (use from the properties (1) and (2) of the set { ei(x) } just stated), and its determinant det(E(x)) = det((ei+j(x))) = en−1(x)⋅⋅⋅e1(x)e0(x) is a polynomial of degree n(n − 1). Further, the elements in the set { ei(β) : fixed β ∈ Fq } is a basis if and only if the matrix E(β) = ( ei(β)ej(β) ) = ( ei+j(β) ) is nonsingular. But since the degree of det(E(x)) is n(n − 1), the matrix degree is singular for at most n(n − 1) distinct β ∈ Fq. 

Cyclic Convolution The cyclic convolution of α and β is defined by

n−1 i −i α ∗ β = ∑α q β q , i=0

∈ for all α, β Fqn .

∈ Lemma 3.36. (Lacan et al. ) Let η Fqn be normal over Fq. Then L(x) = η*x is a one-to-one → linear map L : Fqn Fqn .

Proof: The linearity L(ax + by) = η*(ax + by) = η*ax + η*by = aL(x) + bL(y) is clear. The verification of the one-to-one property appears in the stated source.  The cyclic convolution of normal elements is a method of generating new normal elements from a given normal element.

Lemma 3.37. (Lacan et al. ) The cyclic convolution η*γ of a pair of normal elements η, γ in

Fqn is again a normal element in Fqn over Fq if and only if n is odd. Furthermore, for every such pair η*γ ≠ η and η*γ ≠ γ if and only if q = 2 and n is odd.

Algorithm for Constructing Normal Elements

An algorithm for constructing normal elements of Fqn over Fq based on the polynomial cη(x) = n−1 n−1 cn−1x + ⋅⋅⋅ + c1x + c0 = Tr(η0ηn−1)x + ⋅⋅⋅ + Tr(η0η1)x + Tr(η0η0) ∈ Fq[x] is outlined here.

∈ Step 1. Choose a random element α Fqn and compute Tr(α). If Tr(α) = 0, repeat step 1. Step 2. Compute

2 n−1 Tr(α 2 ), Tr(α q+1 ), Tr(α q +1 ), ..., Tr(α q +1 ),

n − n − and gcd(c(x), x 1). If gcd(c(x), x 1) = 1, then the element α is normal Fqn over Fq, in

addition if cn−1 = ⋅⋅⋅ = c1 = 0, and c0 = 1, then α generates a self-dual normal basis. Otherwise repeat step 1.

3.11 Completely Normal Bases and Testing Methods

∈ Definition 3.38. A normal element η Fqn over Fq is said to be completely normal if it

generates a normal basis Fqn over Fqd for any divisor d of n.

∈ Theorem 3.39. (Blessenohl and Johnsen 1986) There is a normal element η Fqn over Fq

completely normal over Fqd for all divisors d of n.

The normal basis tests introduced before are easily extended to the completely normal basis case. The extended versions of three tests most widely used are as follows.

Theorem 3.40. (Matrix Completely Normal Test) A subset of conjugates { ηn−1, …, η1, η0 } × elements is a completely normal basis of Fqn over Fq if and only if the e e circulant submatrices

qd ( j −i ) Ad = (η )

are nonsingular for all d  n = de, 0 ≤ i, j < e.

Example 3.41. For n = 6 the matrix test consist of three matrices:

2 3 4 5  η η q η q η q η q η q   q q2 q3 q4 q5  2 4 η η η η η η  η η q η q    q3  q2 q3 q4 q5 q  η η   4 2  η η η η η η A = , A = η q η η q , A =   . 3  q3  2   1 q3 q4 q5 q2 q3  η η   q2 q4  η η η η η η  η η η 4 5 2 3   η q η q η η q η q η q    q5 q q2 q3 q4 η η η η η η 

η ∈ ≠ ≠ The element Fq6 is a completely normal element over Fq if and only if det(A3) 0, det(A2)

0, and det(A1) ≠ 0.

d (e−1) d Theorem 3.41. (Gcd Completely Normal Test) The conjugate set { η q , ...,η q , η } forms a normal basis of Fqn over Fqd if and only if the polynomials

d (e−1) 2d d f(x) = xn/d − 1 and g(x) = η q x e−1 ++η q x 2 +η q x +η

≠ ∈  are relatively prime in Fqn [x], i.e., 0 gcd(f(x), g(x)) Fq. Further if this holds for all d n, ∈ then the element η Fqn is completely normal.

∈ Theorem 3.42. (Standard Completely Normal Test) An element η Fqn is a completely normal element over Fq if and only if the system of inequalities x e −1 η ≠ 0 a(x)

e − ∈ holds for all irreducible factors a(x) of x 1 Fqd [x], and all divisors e of n = de.

The computational complexity of the standard completely normal test is determined by the factorization of the integer n = de, and the polynomial xe − 1. For each divisor d of n, there are Ω( xe−1) inequalities in the system of inequalities, which is the number of irreducible factors in e − τ x 1 over Fqd . The test is repeated (n) times, which is the number of divisors of the integer n.

v For the parameter n = p , p being the characteristic of the finite field Fq and v ≥1, the polynomial xn − 1 = (x − 1)n. Accordingly the system of inequalities in the standard completely normal test collapses to a single line:

e x −1 d (e−1) d (e−2) d η = η q +η q ++η q +η ≠ 0, x −1 but the integer e ranges over the divisors of n, or n = de.

In the standard normal test the parameter k = n is fixed, so the condition Tr(α) ≠ 0 is sufficient to v test the normality of an element in Fqn , n = p . The transitive property of the trace function allows an extension of this short test to completely normal elements.

n n−1 Theorem 3.43. Let f(x) = x + an−1x + ⋅⋅⋅ + a1x + a0 ∈ Fq[x] be irreducible of degree deg(f) = v  n = p , p q, and d be a divisor of n. Then a root η of f(x) is a completely normal element in Fqn ≠ over Fqd if and only if an−1 0.

Proof: The relative trace is precisely

qd (e−1) qd (e−2) qd Trn:d (η) = η +η ++η +η

for all d  n. Now to confirm that Trn:d(η) ≠ 0, use the transitivity of the trace function and the data an−1 ≠ 0, to arrive at Trn:1(η) = Trd:1(Trn:d(η)) = an−1 ≠ 0. Ergo Trn:d(η) ≠ 0. This proves that  the element η is completely normal in Fqn over Fqd .

n − ∈ ∈ Theorem 3.441. (Blake et al., 1997) Suppose x a Fq[x] is irreducible. Then a root η Fqn n n of ax − (x − 1) is a completely normal element over Fq.

The pure equation xn − a is irreducible whenever the two conditions below hold. ( 1 ) The prime pi divides m, but not (q − 1)/m, and ( 2 ) If 4 divides n, then 4 divides q − 1, where the pi are the prime divisors of n, and m is the order of q modulo n, see [1, Lidl et al, p.124]. The two specific cases:

k ( i ) The constant a is a nonsquare in Fq, and n = 2 , u1 us v1 vs ( ii ) The constant a is primitive in Fq, and n = p1  ps , q −1 = p1  ps , vi ≤ ui, are easy to verify.

A table of completely normal polynomials for pn < 1050, p ≤ 97, of minimal weight is provided in [2. Morgan/Mullin].

Example 3.45.

F2[x] F3[x] F5[x] x2 + x + 1 x2 + x + 2 x2 + x + 2 x3 + x2 + 1 x3 + 2x2 + 1 x3 + x2 + 2 x4 + x3 + 1 x4 + 2x3 + 2 x4 + x2 + 2 x5 + x4 + x3 + x2 + 1 + 1 x5 + 2x4 + 1 x5 + 2x4 + 3

Distribution The distribution of completely normal elements in for arbitrary parameters n and q is not known. However, for a few specific parameters n , and q it is known. For small pairs (n, q) the machine calculations of the cardinalities of completely normal elements CNn(q) and completely normal primitive elements CNPn(q) are feasible.

Iterated Construction The iterated construction of completely normal elements has many similarities to the iterated construction of normal elements. The product η = η1η2 of two completely normal elements η1 ∈ ∈ Fqr and η2 Fqs over Fq such that gcd(r, s) = 1 is again a completely normal element in Fqn over

Fq, n = rs. This is the basic building block employed to assemble arbitrary completely normal

elements in Fqn .

3.12 Infinite Sequences of Normal Elements/Polynomials

An iterative technique for constructing infinite sequences of irreducible polynomials rests on the polynomials transformation

fQ(x) = (ax)rf(Q(x))

r r−1 r−2 where f(x) = x + ar−1x + ar−2x +⋅⋅⋅ + a1x + a0, Q(x) is a rational function, and 0 ≠ a ∈ Fq.

Q n Q Lemma 3.46. (Meyn 1990) Let f (x) = x f(x+1/x), f(x) ∈ Fq[x] irreducible. Then f (x) is self−reciprocal irreducible over Fq if and only if f(2)f(−2) ≠ square if Fq .

The individual polynomials in the sequences are given recursive formula

r n f n (x) = (ax) f n−1 (Q(x)),

r r−1 r−2 where the initial polynomial f0(x) = x + ar−1x + ar−2x +⋅⋅⋅ + a1x + a0 ∈ Fq[x] is irreducible, and n ≥ 1.

The infinite sequence of roots { αn } of the infinite sequence of polynomials { fn(x) } induces an infinite tower of finite extensions

Fq ⊂ F r ⊂ F 2 ⊂ F 3 ⊂ ⋅⋅⋅ ⊂ F ∞ . q q r q r qr

p p−1 p Theorem 3.47. (Varshamov 1989) Let f0(x) = x + x + ⋅⋅⋅ + x + 1 ∈ Fp[x], f1(x) = f0(x − x − * p * 1), and let f n (x) = f n−1 (x − x −1) . Then f n (x) is a completely normal polynomial of degree * n+1 deg( f n (x)) = p for all n ≥ 2.

One of the simplest construction of an infinite sequence of polynomials uses a quadratic 2 polynomial f0(x) = x + a1x + a0, and the parameter r = 2. Several infinite sequences have been constructed in this manner. Here are some typical cases.

Theorem 3.48. (Chapman 1997) Let q ≡ 1 mod 4 be a prime power, and define the sequence

2 n  x +1 = 2   f n (x) (2x) f n−1  ,  2x 

2 where the initial polynomial f0(x) = x + ax + 1 ∈ Fq[x] is irreducible, c is a not a square in Fq,

and n ≥ 1. Then any root αn ∈ F n of fn(x) is a completely normal element over Fq. q 2

Theorem 3.49. (Chapman 1997) Let q ≡ 3 mod 4 be a prime power, and define the sequence

2 n  x + c  = 2   f n (x) (2x) f n−1   ,  2x 

2 where the initial polynomial f0(x) = x + ax + b ∈ Fq[x] is irreducible, b ≠ 0, and c is a not a

square in Fq, n ≥ 1. Then any root αn ∈ F n of fn(x) is a completely normal element over Fq. q 2

2 Theorem 3.50. (Blake et al, 1997) Let p ≡ 3 mod 4, let f0(x) = x − bx − c ∈ Fq[x] be

irreducible such that b ≠ 2, and c is a square in Fq. Then any root αn ∈ F n of the polynomial q 2 2n+1 2n 2n 2n+1 f n (x) = (x −1) − b(x −1) x − cx ,

v is a completely normal element over Fq, n ≥ 1, and q , v odd.

These results are described in fine details in [1,2 Myen], [1, Chapman], and [1, Blake et al. 1997]. Methods for generating infinite sequences of normal polynomials { fn(x) } of degree n deg(fn) = r whose roots are trace compatible, and the parameters

( 1 ) r = 2, q ≡ 1 mod 4, k ( 2 ) r = p, the characteristic of Fq, q = p , ( 3 ) r = odd, and r divides q2 − 1,

are developed in [1, Scheerhorn, 1994].

α Φ + Theorem 3.51. (Blake et al, 1997) Let n be a root of the cyclotomic polynomial pn 1 (x) , and let 2 be a primitive root modulo p2. Then p p2 pn ( 1 ) ηn = α n +α n +α n ++α n is a normal element in F − n over F2, n ≥ 1. 2( p 1) p

( p−1) pn −1 ( p−1) pn 2i ( 2 ) δ n = ηn + ∑ ηn is the dual normal element. i=0

2i 2 j The proof of (1) is based on the determinant of the trace matrix T = ( Tr(α n α n ) ). And that of (2) uses the polynomial representation

( p−1) pn −1 ( p−1) pn −1 1=2i i ( p−1) pn / 2 i N(x) = ∑ Tr(ηn )x =xn + ∑ x i=0 i=0

of the normal element ηn. The inverse of N(x) is easy to calculate because this polynomial is an ( p−1) pn idempotent in F2 [x]/(x −1) > Specifically

2 2 ( p−1) pn −1 ( p−1) pn / 2  n  n  x −1 n 2 =  ( p−1) p / 2 + i  = ( p−1) p +   ( p−1) p − N (x)  xn ∑ x  xn   (x 1) .  i=0   x −1 

n Thus N−1(x) = N(x) since N 2 (x) ≡ 1 mod (x ( p−1) p −1) .

n Definition 3.52. A sequence of polynomials { fn(x) } of degree deg(fn) = r is trace compatible

if the relative trace Tr n+1:n(αn+1) = αn. for each pair of roots αn+1 ∈ F n+1 and αn ∈ F n of q r q r fn+1(x) and fn(x). More precisely fn+1(αn+1) = 0, and fn(Tr n+1:n(αn+1)) = fn(αn) = 0.

3.13 Characteristic Functions

A characteristic function encapsulates certain properties of a subset of elements of Fqn . It effectively filters out those elements that do not satisfy the constraints. The equation of a characteristic function is of the form

1 if the properties are valid, C(α) =   0 otherwise,

α ∈ for all Fqn .

The Characteristic Function of Primitive Elements

The characteristic function of primitive elements of Fqn is constant on the subset of primitive elements and vanishes otherwise.

 n − Let χ be a multiplicative character of order d = ord(χ), d q 1, on Fqn .The characteristic

function of primitive elements in Fqn is defined by

ϕ(qn −1) µ(d) α = χ α CP ( ) n ∑ ∑ ( ) , q −1 d | qn−1 ϕ(d) ord( χ )=d

α ∈ n µ ϕ where Fq , and the arithmetic functions and are the Mobius and Euler functions on the ring of integers Z respectively.

A product version of this formula

ϕ(qn −1)  1  C (α) = 1− χ(α) , P n ∏  ∑  q −1 p qn −1 p −1 ord( χ )= p 

where p runs through the prime divisors of qn − 1, is also effective in certain applications. The transformation required is straightforward, see [1, Hua, p. 177], etc.

The function CP(α) is one of the basic tools used in the investigation of the distribution of primitive elements in finite fields. Typical applications are illustrated in [1, Jungnickel, et al], [1, Moreno], etc.

The Characteristic Function of Normal Elements ψ ψ  n − Let be an additive character of order d(x) = Ord( ) x 1 on Fqn . The characteristic function of normal elements in Fqn is defined by

Φ(x n −1) M (d(x)) α = ψ n − α C N ( ) n ∑ ∑ ([(x 1) / d(x)] ) , q d (x) |xn −1 Φ(d(x)) Ord(ψ )=d (x)

α ∈ n Μ Ω where Fq , and the arithmetic functions and are the Mobius and Euler functions on the

ring of polynomials Fq[x] respectively.

A product version of this formula

Φ(x n −1)  1  C (α) = 1− ψ ([x n −1) / f (x)]α) N n ∏  deg( f (x)) ∑  q f (x) xn −1 q −1 Ord(ψ )= f (x) 

where f(x) runs through the irreducible factors of xn − 1, is also effective in certain applications. The transformation required is straight forward, see [1, Lenstra et al], etc.

u v n n Example 3.53. For the parameter n = p , q = p , the polynomial x − 1 = (x − 1) ∈ Fq[x] and the n − °α α → − expression [(x 1)/g(x)] = Tr( ) is the trace Tr : Fqn Fq, (since g(x) = x 1 is the only n − irreducible factor of x 1). Thus the characteristic function of normal elements in Fqn is

 1   0 if Tr(α) = 0, α = −  − ψ α  = C N ( ) (1 1/ q)1 ∑ (Tr( ))  .  q −1 Ord(ψ )=x−1  1 if Tr(α) ≠ 0.

The Characteristic Function of Primitive Normal Elements The product of the characteristic function of primitive elements and the characteristic function of normal elements in Fqn yield the characteristic function of primitive normal elements.

Let χ be a multiplicative character of order d = ord(χ), d  qn − 1, and let ψ be an additive ψ  n − character of order e(x) = Ord( ) x 1 on Fqn . The characteristic function of primitive normal elements in Fqn is defined by

ϕ(q n −1) Φ(x n −1) µ(d) M (e(x)) α = χ α ψ β CPN ( ) n n ∑ ∑ ∑ ∑ ( ) ( ) q −1 q d qn −1 ϕ(d) e(x) |xn −1 Φ(e(x)) Ord(ψ )=e(x) ord (χ )=d

n α ∈ n β − °α where Fq , and = [(x 1)/e(x)] .

The function C(α) is one of the basic tools used in the investigation of the distribution of primitive normal elements in finite fields. Typical applications are illustrated in [1, Lenstra et al], and [1, Carella], etc.

The Characteristic Function of Completely Normal Elements

The characteristic function of completely normal elements in Fqn is constructed from a series of characteristic functions of normal elements in Fqn over Fqd , d | n = de. These functions are for η ∈ extensions of degree e = [ Fqn : Fqd ]. Since an element Fqn is a completely normal if and only η if is a normal element in Fqn over Fqd for all d | n, it follows that the characteristic function of completely normal elements is the product of the individuals functions:

 Φ(x e −1) M ( f (x))  α =  ψ e − α  CCN ( ) ∏ n ∑ ∑ ([x 1) / f (x)] )  e Φ  e|n  q f (x) |x −1 ( f (x)) Ord(ψ )= f (x) 

Φ(x e −1)  1  = 1− ψ ([x e −1) / g(x)]α) ∏ ∏ n  deg(g(x)) ∑  e|n g(x)|xe −1 q  q −1 Ord(ψ )=g(x) 

e α ∈ n − ∈ d where Fq , and g(x) runs through the irreducible factors of x 1 Fq [x].

u v n − − n ∈ Example 3.54. For the parameter n = p , q = p , the polynomial x 1 = (x 1) F pi [x] and q n − °α α → ≤ the expression [(x 1)/g(x)] = Tri( ) is the trace Tri : F pu F pi , 0 i < u, (since g(x) = q q x − 1 is the only irreducible factor of xn − 1). Thus the characteristic function of completely

normal elements in Fqn is

u−1   pi  1  C (α) = (1−1/ q ) 1− i ψ (Tr(α)) . CN ∏  p ∑  i=0  q −1 Ord(ψ )=x−1 

3.14 Primitive Normal Bases

A primitive normal basis is generated by a primitive element in Fqn . The asymptotic proof of the Primitive Normal Basis Theorem was first established by both [1, Carlitz], and [1, Davenport]. And the final version for all pair n, q was established by [1, Lenstra and Schoof].

Theorem 3.55.. (Primitive Normal Basis Theorem) Let Fqn be an n-degree extension of Fq.

Then Fqn has a primitive normal basis over Fq.

The next result is a refinement of the Primitive Normal Basis Theorem, it calls for primitive normal elements of arbitrary traces.

Theorem 3.56. (Primitive Normal Basis Theorem Of Arbitrary Trace) For every a ≠ 0 in Fq,

there exists a primitive normal element in Fqn of trace a.

This modification was proposed as a conjecture by [1, Morgan and Mullin]. The asymptotic proof of the Primitive Normal Basis Theorem of Arbitrary Trace was first completed in [1, Carella]. And about a year later it was extended to all pairs n, q by [2, Cohen et al.].

The Distribution Of Primitive Normal Elements The distribution of primitive normal elements is more intricate than either the distribution of primitive elements or the distribution of normal elements An exact closed form formula for the

number of primitive normal bases of Fqn over Fq appear to be unknown, however there is an asymptotic approximation due to [1, Carlitz]. The approximation is

ϕ(q n −1)Φ(x n −1) PN (q) = + O(q (.5+ε )n ) , n q n

for all ε > 0.

Conjecture 3.57. (Morgan-Mullin 1996) Let q be a prime power and let n > 3 be an integer. Then there exists a completely normal primitive polynomial of degree n over Fq .

3.15 Applications Of Fractional Linear Transformations To Normal Bases

1 The projective line over the finite field Fq consists of the set of points P (Fq) = Fq  {}, ∞ represents the point at infinity. The projective linear group PGL2(Fq) = GL2(Fq)/{ aI2 } acts on 1 P (Fq) via fractional linear transformations. The operation is composition of maps.

a b Let γ be the 2×2 matrix   ∈ GL2(Fq). A fractional linear transformation is defined by the c d 1 map γ(z) = (az + b)/(cz + d) on P (Fq).

 {} for all n ≥ More generally, a fractional linear transformation is a permutation on Fqn 1.

Classification of Fractional Linear Transformations 1 A map γ(z) = (az + b)/(cz + d) on P (Fq). has at most two fixed points. The fixed points of the map γ(z) are the solution of the equation γ(z) = z. The discriminant disc(γ) = (a − d)2 + 4bc is the discriminant of the fixed points equation cz2 − (a − d)z − b = 0.

The order n = ord(γ) of the map γ(z) is the smallest integer n which satisfies γn−1(z) = 1 for all z 1  P (Fq). The integer n is a divisor of the order q(q − 1)(q + 1) = # PGL2(Fq) of the group PGL2(Fq). The discriminant disc(γ) of the fixed points equation serves as an indicator of the order of the map γ(z).

( 1 ) If discriminant disc(γ) = 0, then order ord(γ) divides q. ( 2 ) If discriminant disc(γ)  0 is a quadratic residue in Fq, then order ord(γ) divides q − 1. ( 3 ) If discriminant disc(γ)  0 is a nonquadratic residue in Fq, then order ord(γ) divides q + 1.

Lemma 3.58. If f(x) ∈ Fq[x] is irreducible, then f(γ(x)) is again irreducible over Fq.

qi qi qi aα + b Proof: The invertible map α → γ (α ) = i preserves the number of conjugates in a cα q + d set of conjugates, so the factors of f(x) are matched 1-to-1 to the factors of f(γ(x)). 

The fractional linear transformations γ(z) = (az + b)/(cz + d), ad − bc ≠ 0 for which the list of

n−1 γ η q γ η q γ η elements { ( ) ..., ( ) , ( ) } forms a normal basis of Fqn over Fq are stated below.

Theorem 3.59. (Sidel’nikov 1988) Let γ(z) = (az + b)/(cz + d) be a map of order n = ord(γ). η ∈ − (η) ∈ Suppose that the element Fqn Fq of nonzero trace Tr Fq is a root of an irreducible q factor f(x) of F(x) = (cx + d)x − (ax + b) ∈ Fq[x]. Then the lists of elements { n−1 γ η q γ η q γ η ⊂ ( ) ..., ( ) , ( ) } Fqn are linearly independent over Fq. Furthermore, the matrix for

change of basis ηι → ηηι is associated with the multiplication submatrix

η0  τ − ε − en−1  e1 η0  b0         η  e − e −  0 η  b  η 1 =  n 1 n 1  1 + 1 , 0                            ηn−1   en−1 0  en−1 ηn−1  − bn−1 

∗ where e1 = a, ei+1 = γ(ei), t = Tr(η0), and τ = τ − e, with e = ∉ Fq.

By definition of the polynomial f(x) and the map ϕ(z), the ϕ-images of a root η of f(x) are

q qn−2 aη +b 2 aη +b n−1 − aη +b q =ϕ η q 2 η q n 1 η η ( ) = , η = ϕ ( ) = q , ..., η = ϕ ( ) = n−2 cη + d cη + d cηq + d

conjugates.

2 ν−1 The map ϕ(z) imposes certain structure on the ϕ−orbit ορβ(α) = {α, ϕ(α), ϕ (α), ..., ϕ (α)}of α ∉ q − ∉ an element Fqn . And by definition of the polynomial F(x) = (cx + d)x (ax + b) Fq[x], so if the element α is a root of F(x), then we have

αq = (cα + d)/(aα + b) = ϕ(α).

ϕ α ∉ α In other words, the map acts as conjugation on the subset { Fqn : F( ) = 0}, Fqn being the splitting field of F(x). Thus the ϕ-orbit orb(α) of any root α of F(x) coincides with the conjugates of α, so the subset orb(α) are the roots of some factor f(x) of F(x).

Since the map ϕ(z) is of order n = ord(ϕ), the ϕ-orbit orb(α) are of length 1 #orb(α) or n #orb(α). q For example, if the element α ∈ Fq is a root of the polynomial F(x) = (cx + d)x - (ax + b) ∉ Fq[x], then the ϕ-orbit orb(α) = {α} is itself, so it corresponds to a linear factor x - α of F(x); but α ∈ − ϕ α α ϕ α ϕ2 α if the element Fqn Fq is a root of F(x), then the -orbit orb( ) = { , ( ), ( ), ..., ϕn-1(α)} corresponds to a nonlinear factor f(x) of F(x) of degree n = deg(f(x)).

Theorem 3.59. (Sidel’nikov 1988) Let _(z) = (az + b)/(cz + d) be a fractional linear 2 ν−1 transformation and suppose η0 = η, η1 = ϕ(η), η2 = ϕ (η), ..., ην−1 = ϕ (η) is a normal basis of GF(qn) over GF(q). Then the product terms are given by ηιηj = ci-jηi + cj-iηj + s, ci, s ∈ Fq.

The factorization of the polynomial falls into four different cases. (1) c = 0, and d = 1; (2) (a − d)2 + 4bc = 0; 2 (3) (a − d) + 4bc ≠ 0 is a quadratic residue in Fq; and 2 (4) (a − d) + 4bc ≠ 0 is not a quadratic residue in Fq.

Theorem 3.60. (Blake et al 1997) Let _(z) = (az + b)/(cz + d), c ≠ 0, ad - bc ≠ 0, d(ϕ) = (a - d)2 + 4bc = 0 and x0 be a root of ϕ(z) = z. Then

q p -1 p-1 p -1 ( cx + d ) x - ( ax + b ) = ( x - x0 ) ∏ ( ( x - x0 ) + (a/c - x0 )β ( x - x0 ) - (a/c - x0 ) β ) β ∈ T

where T = { 0 ≠ β ∈ Fq : Tr(β) = 1 }, and Tr : Fq → Fp.

For a proof, see Blake et al., [1], Theorem 3.4, p.505.

Theorem 3.61. (Blake et al 19) (1) The roots of the polynomial xp − aβ−1x − apβ−1 form a normal − basis of Fq p over Fq. Moreover this basis has a complexity of CN = 3p 2. (2) If the element a = β, then the roots of the polynomial xp - x - ap-1 form a self-dual normal

basis of Fq p over Fq.

Theorem 3.62. (Blake et al 19) (1) Let q = ps, and let n | (q − 1)(q + 1) or n = p. Then the qi qi qi η + v aη + b element δ i = δ = is the dual of ηi = i . t(t + nv) cη q + d

Proof: For i ≠ j,

 η + v  tv + Tr(η η ) η δ = η j  = i j Tr( i j ) Tr i  .  t(t + nv)  t(t + nv)

Taking the trace of ηiηj = ej−iηi + ei−jηj + u, yields Tr(ηiδj) = 0. And for i = j,

 η + v  1   n−1  η δ = η i  = η  + − η  = Tr( i i ) Tr i  Tr i t v ∑ j  1  t(t + nv)  t(t + nv)   i≠ j=0 

as claimed. 

Chapter 4

General Periods

Cyclotomic Periods

4.1 Concept of Periods

A period can be viewed as a finite sum Σx∈Kψ(x) over a subset K ⊂ R of a ring R. The function ψ is defined on R, and assumed to be fixed. The notion of periods is quite general and can be defined in any arbitrary sets as well as groups. The most common and best known case is cyclotomic period. A cyclotomic period is simply an incomplete exponential sum Σx∈Kψ(x) with respect to a fixed character. The character is the complex-valued function ψ(x) = ei2πx/p or the finite field-valued function ψ(x) = ωx, where ω is a primitive pth root of unity in a finite

extension Fqn of Fq, and the coset is a residue class K = Ki of Fp. The cyclotomic periods for several other exponential functions have also been investigated in the literature. In [2, McEnliece

et al], the coset K is a residue class Ki of an extension Fqn of Fp, and the cyclotomic hyperperiods i2(t+x/t)/p using ψ(x) = Σt≠0e are considered in [2, Lehmer] and other. . Several generalizations of the cyclotomic periods are considered and some of the basic results on this topic will be considered in this chapter.

Definition 4.1. Let S be a nonempty set, put S = S0 ∪ S1 ∪⋅⋅⋅⋅ ∪ Sn−1 and let f be a function on S. The periods are defined by the list of elements

η = η0 = ∑ f (x), 1 ∑ f (x), ..., ηn−1 = ∑ f (x) x ∈ S 0 x ∈ S1 x ∈ S n−1

The number of distinct periods in the list is the degree of the periods. The simplest nontrivial periods are the quadratic periods for which S = S0 ∪ S1, k = #Si 2k = #S, and the periods of degree kn.

As an instance, consider the function f on the set Ω = { 1 ≠ ω : ωp = 1 } ⊂ R, R a ring, p = 2n + 1, and let the subsets Si = { ωi, ωn+i }, 0 ≤ i < n, be a partition of Ω. Then the periods of degree n are given by

η0 = f (ω 0) + f (ω n), η1 = f (ω1) + f (ω n+1), ..., ηn−1 = f (ω n−1) + f (ω 2n−1) .

Each summation here is over a subset of points Si ⊂ S, and the function f is fixed.

Another related elements are the coperiods. The summation in the definition of a coperiod is over a subset of functions Li ⊂ L ⊂ L(S) of the set of functions on a set S, and the point x ∈ S is fixed.

Definition 4.2. Let L = L0 ∪ L1 ∪ ⋅⋅⋅ ∪ Ln−1 be a partition of the set of functions L on S, and let x ∈ S be a fixed point. The coperiods are defined by the list of elements

γ 0 = ∑ f (x), γ 1 = ∑ f (x), ..., γ n−1 = ∑ f (x) . f ∈ L0 f ∈ L1 f ∈ Ln-1

Example 4.3. Take the prime integer r = 2n + 1, and a prime power q of order ordr(q) = 2n or n n n+1 i n+i modulo r. Consider the partition L0 = { 1, σ }, L1 = { σ, σ }, .., Li = { σ , σ }, ..., Ln−1 = { σn−1 σ2n−1 σ σ2 σ2n-1 , } of galois group Gal( Fqn /Fq) = { 1, , , ..., } of the extension Fqn of Fq of

degree 2n. Then the coperiods in Fqn are given by the list

j −1 j q −q γ 0 = ∑σ (ω) = ω + ω , γ 1 = ∑σ (ω) = ω + ω , ..., j∈S j∈S 0 1 j n−1 q −qn−1 γ n−1 = ∑σ (ω) = ω + ω j∈Sn−1

In practice, is quite common to use the partition S0 = { 0, n }, S1 = { 1, n + 1 }, ..., Si = { i, n + i}, i n+i ..., Sn−1 = { n − 1, 2n − 1 } of the isomorphic group Z2n as index in place of Li = { σ , σ }.

In some cases the periods and coperiods are exactly the same elements. This is the case for the x x function fx(ω) = σ (ω), where σ ∈ G, so ηi = γi.

Periods Generating Maps The functions appearing in the definition of the periods are called periods generating maps. The automorphisms of the group G = Gal(Q(ω),Q), where ω is a primitive pth root of unity in Q(ω) σ σ2 σn−1 or G = Gal( Fqn /Fq) = { 1, , , .., }, where Fqn is an extension of Fq of degree n, and characters group G^ = { characters on a group G } have very rich structures, and are probably some of the most interesting periods generating maps. Other structured functions are of interest too.

Definition 4.4. Let k, n, r ∈ N be integers such that ϕ(r) = kn, r = r1r2, where r1 is squarefree, and let vl = vl(r2) be the valuation at the prime l. Then the function

-i f (x) = xr 2 ∏ ∑ xr  | r 2 1 ≤ i ≤ v

is a periods generating map.

For squarefree integers r, this reduces to f(x) = x, for more details see [1, Feisel et al.].

Partitions of Sets The partitions used in the construction of cyclotomic periods and period normal bases require well-structured partitions, and subsets of uniform cardinalities. The nth power residues partitions * have the structure sought after, so the sets S are the multiplicative groups Z r of the residue numbers systems Zr, r ∈ N, and ϕ(r) = kn.

The concentration here will be on the following groups and sets:

* ( 1 ) Z r = { x ∈ Zr : gcd(x, r ) = 1 },

σ σ2 σn−1 ( 2 ) Gal( Fqn /Fq) = { 1, , , ..., }, where Fqn is a finite extension of Fq of degree n. ( 3 ) Gal(Q(ω),Q), where ω is a primitive pth root of unity in Q(ω), ( 4 ) G^ = { characters on a group G }, and the set Ω ≠ ω ω ( 5 ) = { 1 : is an rth primitive root of unity in C or Fqn }, r = kn + 1 an integer.

The multiplicative group of Zr comes in three varieties depending on the prime factors of the integer r. The three structures are as follows.

* Structure of the Group Z r * = × − ≅ 〈− 〉 ( 1 ) Z r Z 2 Z 2v 2 1, 5 . * ≅ 〈 〉 ≥ ( 2 ) Z pv g , prime p > 2, g a generator, and v 1.

* v1 v2 va ( 3 ) Z r = Z v1 × Z v2 ×× Z va , where r = p1 p2  pa . p1 p2a pa

A union S = S0 ∪ S1 ∪ ⋅⋅⋅ ∪ Sn−1 of disjoint subsets S0, S1, ..., Sn−1 of a set S is called a partition of S. The disjoint condition stipulates that Si ∩ Sj = ∅ for all i ≠ j.

The number of partitions of a set S of cardinality m = #S into n nonempty subsets of cardinalities k0, k1, ..., kn−1 is given by the (Sterling) number

n 1 n−d  n m S(m,n) = ∑(−1)   d . n! d=0 d 

However, the recursive relation

S(m,n) = S(m−1,n−1) + nS(m−1,n),

where S(m,1) = S(m,m) = 1, m ≥ 2, is more efficient in numerical calculations.

The total number of partitions of uniform cardinalities k0 = k1 = ⋅⋅⋅ = kn−1 = k is given by

knkn − k  kn − 2k  2k  k                    k  k   k   k  k 

where kn = #S.

4.2 Cyclotomic Periods A cyclotomic period is simply an incomplete exponential sum Σx∈Kψ(x) with respect to a fixed character or exponential function ψ on a coset K of some group G. The best known case, called a Gaussian period, is constructed with the complex-valued function ψ(x) = ei2πx/p or the finite field-

x valued function ψ(x) = ω , where ω is a primitive pth root of unity in a finite extension Fqn of Fq,

and the coset is a residue class K = Ki of Fp.

The periods based on the complex-valued function ψ(x) = ei2πx/p have been investigated for quite sometimes, perhaps, over two centuries, confer [1, Gauss, Art. 343-366].

Gaussian Periods An important class of periods is derived from the algebraic structure of the residue numbers systems Zr. The partitions used in the construction of the gaussian periods consists of the cosets of Zr.

* Definition 4.5. Let p = kn + 1 ∈ N be prime. An element 0 ≠ a ∈ Fp is an nth power residue if (p−1)/n n a = 1 in Fp. In other words, the pure equation x − a = 0 has at least one solution 0 ≠ x in Fp. Otherwise a is an nth power nonresidue.

Definition 4.6. Let p = kn + 1 be prime, and let g be a generator of the multiplicative group of * Fp. Then the cosets decomposition of Fp with respect to g is defined by

k −1 * i jn Fr = ∏ g { g : 0 ≤ j < k }, i=0

jn + i jn + i i where the integers g in each coset Ki = { g : 0 ≤ j < k } = g K0 are reduced modulo p.

jn * n * The first coset K0 = { g : 0 ≤ j < k } = (Fp ) consists of all the nth power residues in Fp , and the other cosets consist of subsets of nth power nonresidues. If p is not a prime, then the subgroup K0 of nth power residues is not unique, and the set of periods of degree n is not unique.

If the generator g is not readily available, the cosets can be generated recursively:

n K0 = { x : 0 ≠ x ∈ Fp }, K1 = x1K0 for some x1 ∉ K0, K2 = x2K0 for some x2 ∉ K0 ∪ K1, ...

* * The cosets form a disjoint partition of Fp . Nondisjoint unions of Fp are also useful in the construction of more general periods.

Definition 4.7. Let p = kn + 1 be prime, and let g be a primitive root in Fp. The gaussian periods of degree n are the elements

k −1 k −1 k −1 i2πg jn / p i2πg jn+1 / p i2πg jn+n−1 / p η0 = ∑e , η1 = ∑e , ..., ηn−1 = ∑e . j=0 j=0 j=0

It is convenient to refer to these elements as periods of type (k, n). A type (k, n) period is a sum of k elements, and the minimal polynomial ψp(x) ∈ Fq[x] of the period η0 is a polynomial of degree n. The polynomial ψp(x) are investigated in Chapter 5.

Lemma 4.8. If p ≡ 1 mod 2n, then the followings are equivalent. n ( 1 ) The pure equation x − 1 = 0 has a nonzero solution in Fp. ( 2 ) The periods η0, η1, ..., ηn−1 are real numbers.

jn * n Proof: (1) This is equivalent to −1 ∈ K0 = { g : 0 ≤ j < k } = (Fp ) . In addition the hypothesis p kn/2 jn ≡ 1 mod 2n ⇒ −1 = g ∈ K0 = { g : 0 ≤ j < k }, since k is even. (2) Since −1 = gkn/2, the nth power residue occur in pairs (gn, gn+kn/2 = −gn), (g2n, g2n+kn/2 = −g2n), (k−1)n (k−1)n+kn/2 (k−1)n ..., (g , g = −g ), all together there are k/2 pairs. Thus the exponential sums ηi are actually sums of cosine functions. 

A different proof from a different point of view is given in [1, Berndt et al., p. 176.].

4.3 Cyclotomic Numbers

The theory of cyclotomic numbers is tightly linked to the arithmetic of cyclotomic fields. A limited amount of background materials on cyclotomic fields will be provided here. For finer analysis consult the literatures.

i2π/p Theorem 4.9. Let p be a prime integer, g a primitive root modulo p, and let ω = e ∈ C. Then the followings hold.

( 1 ) The cyclotomic field Q(ω) is an extension of Q of degree k = [Q(ω): Q], with galois group Gal(Q(ω),Q) = { 1, τ, τ2, ..., τkn−1 }, where the generating automorphism is defined by τ(ω) = ωg.

( 2 ) Q(η0) is an extension of Q of degree n = [Q(η0) : Q], with galois group Gal(Q(η0),Q) = {1, σ, σ2, ..., σn−1 }, where σ = τk. This is a unique subfield of the field Q(ω).

( 3 ) Q(ω) is an extension of Q(η0) of degree k = [Q(ω) : Q(η0)],with galois group n 2n (k−1)n Gal(Q(ω),Q(η0)) = {1, τ , τ , ..., τ }.

n 2n (k−1)n The subfield Q(η0) of Q(ω) is fixed by the subgroup Gal(Q(ω),Q(η0)) = {1, τ , τ , ..., τ } of 2 kn−1 Gal(Q(ω),Q) = { 1, τ, τ , ..., τ }, and the coset Ki is identified with the subgroup H = { 1, σ, σ2, ..., σn−1 } of Gal(Q(ω),Q), see [1, Washington, p. 16].

Lemma 4.10. ( 1 ) The set { 1, ω, ω2, ..., ωkn−2 } is a Z-basis of the ring of algebraic integers Z[ω] of the field Q(ω). ( 2 ) The periods { η0, η1, ..., ηn−1 } forms a Z-basis of the ring of algebraic integers Z[η0,η1,...,ηn−1] of the field Q(η0). 2 k−1 ( 3 ) The set { 1, ω, ω , ..., ω } is a Z[η0,η1,...,ηn−1]-basis of the ring of algebraic integers Z[ω] of the field Q(ω).

Quite often the subring of algebraic integers Z[η0,η1,...,ηn−1] = Z[η0] = Z[η1] = ⋅⋅⋅ = Z[ηn−1], for −1 example, if 2 = k = ( p − 1)/n, then the ring of integers is Z[η0,η1,...,ηn−1] = Z[ω+ω ], and the subfield is Q(ω+ω−1), these are the maximal subring and subfield of Z[ω] and Q(ω) respectively. But in general for k > 2, this is not true. This fails to hold because there are primes for which the linear expansions

n−1 j ηi = ∑ ai, jη0 j = 0 require some rational coefficients ai,j ∉ Z, see [1, Washington, p. 17.].

In the subring of cyclotomic integers Z[η0,η1,...,ηn−1] the product of two gaussian periods is expressible as a linear combination of the same periods with integers coefficients.

Definition 4.11. The multiplication table or matrix T = ( ti,j,k ) attached to the cyclotomic periods is defined by

n−1 ηiη j = ∑ti, j,kηk . k =0

The most important linear expansions of the pairwise products are the followings:

k −1 k −1 n−1  i2πg an / p  i2πg bn / p  η0η0 = ∑e ∑e  = ε i + ∑(0, j)η j ,  a=0  b=0  j=0

k −1 k −1 n−1  i2πg an / p  i2πg bn+1 / p  η0η1 = ∑e ∑e  = ε i + ∑(1, j)η j ,  a=0  b=0  j=0

… … …

k −1 k −1 n−1  i2πg an / p  i2πg bn+n−1 / p  η0ηn−1 = ∑e ∑e  = ε i + ∑(n −1, j)η j ,  a=0  b=0  j=0

where the constant term εi = k if −1 ∈ Ki, otherwise εi = 0. Sometimes this is characterized in terms of the impulse function as

 δ 0,i k even, ε i =   δ n / 2,i k odd.

The other linear expansions of the pairwise products ηiηj are derived by repeated application of v the automorphism. In particular, from the identity τ (ηiηj) = ηi+vηj+v, the pairwise product become

n−1 i i ηiη j = τ (η0η j−i ) = ∑τ (t0, j−i,kηk ) k =0 n−1 n−1 = ∑t0, j−i,k −iηk = ∑t j−i,k −iηk , k =0 k =0

where the coefficients ta,b = t0,a,b.

Definition 4.12. The complexity of multiplication in the subfield Q(η0) over Q is defined by w(T0) = #{ t0,j,k ≠ 0 }.

The coefficients (i, j) appearing in the linear expansion

η0ηi = (i, 0)η0 + (i, 1)η1 + ⋅⋅⋅ + (i, n−1)ηn−1 + εi

are classically known as cyclotomic numbers.

In the literature there are a few equivalent working definitions of these numbers. One of these definition is given below.

Definition 4.13. Let p = kn + 1 be prime, and let g be a primitive root modulo p, the cyclotomic numbers (i, j) counts the number of solutions of the congruence equation

1 + gnx + i ≡ gny + j mod p,

where 0 ≤ i, j < n, and 0 ≤ x, y < k. These numbers depend on both the prime p and the primitive root g.

For small prime p, an easy and intuitive method of computing (i, j) is to count the number of nv + j i times that the coset Kj = { g mod p : 0 ≤ v < k } appears in the sequence < zd = x +g y : x, y ∈ 2 K0, d = 0, 1, 2, ..., k − 1 >.

Example 4.14. Let p = kn + 1 = 11, (n = 2 and k = 5), and let the cosets of quadratic residues * and non residues in (F11) be K0 = { 1, 4, 9, 5, 3 } and K1 = { 2, 8, 7, 10, 6 }. Then using g = 2, the cyclotomic numbers are

(0, 0) = #{ (x, y) : 1 + 22x ≡ 22y mod 11, 0 ≤ x, y < 5 } = 2,

(0, 1) = #{ (x, y) : 1 + 22x+1 ≡ 22y mod 11, 0 ≤ x, y < 5 } = 3,

(1, 0) = #{ (x, y) : 1 + 22x ≡ 22y+1 mod 11, 0 ≤ x, y < 5 } = 2, and

(1, 1) = #{ (x, y) : 1 + 22x+1 ≡ 22y+1 mod 11, 0 ≤ x, y < 5 } = 2.

In general an arbitrary partition of a set induces a set of periods. However, the complete set of the numbers (i, j) that arises in the linear combinations

η0ηi = (i, 0)η0 + (i, 1)η1 + ⋅⋅⋅ + (i, n−1)ηn−1 + εi

exist (are defined) only if the set Z[η0,η1,...,ηn−1] is equipped with a ring structure over the ring of integers Z.

4.4 Linear and Algebraic Properties of the Integers (i, j)

The linear properties of the cyclotomic numbers periods are basic tools used in the investigations of the periods.

Entries Relations ( 1 ) (i, j) = (i + sn, j + sn), the shift-invariant property for s ∈ N.

( 2 ) (i, j) = (n − i, n − j), circulant property.

 ( j,i) if p = 2 or k is even, ( 3 ) (i, j) =   ( j + n / 2,i + n / 2) if k and p are both odd.

Sums Relations n−1  1 if j = 0, ( 4 ) ∑(i, j) = k − a j where a j =  i=0  0 otherwise.

 1 k even and i = 0, n−1  ( 5 ) ∑(i, j) = k − bi where bi =  1 k odd and i = n / 2, j=0   0 otherwise.

(6) If g is a primitive root modulo p, and the pair (i, j) = (i, j)1 and (i, j)s are the cyclotomic numbers with respect to the primitive roots respectively g and gs, with s = gcd(s, p − 1) = 1, then (i, j)s = (si, sj).

Property (3) specifies the symmetries of the integers (i, j) along the diagonals. The last two properties (4) and (5) are the row sums of the (i, j) with respect to a fixed index i and the column sums of the (i, j) with respect to a fixed index j.

Cyclotomic Matrices A cyclotomic matrix of type (k, n) is a n×n array Ck(,n) = ( (i, j) ) with entries in Z. The linear properties are used in the construction of these matrices. Properties (1), (2), and (3) specify the

Copyright 2001. - 79 - Cyclotomic Periods symmetries along the diagonals of the matrix. The structure of this matrix depends on parity of the parameter k in the prime p = kn + 1. Specifically, property (3) indicates that the matrix is symmetric if k is even and nonsymmetric if k is odd.

As an illustration, let consider the simplest ones of type (k, 2) and type (k, 3). The type (k, 2) matrix for the prime kn + 1 = 2k + 1 comes in two varieties: The matrix is either

(0,0) (0,1) (0,0) (0,1) (0,0) (0,1) (0,0) (0,1) Ck (2) =   =   or Ck (2) =   =   . (1,0) (1,1)  (1,1) (1,1) (1,0) (1,1) (0,0) (0,0) for k even or k odd respectively. And the type (k, 3) matrix for p = kn + 1 = 3k + 1 has the form

(0,0) (0,1) (0,2) (0,0) (0,1) (0,2) =   =   Ck (3) (1,0) (1,1) (1,2) (0,1) (0,2) (1,2) . (2,0) (2,1) (2,2) (0,2) (1,2) (0,1)

4.5 Characterization of the Cyclotomic Periods

Several properties of the gaussian periods uniquely identify the subset { η0,η1,...,ηn−1 } of periods, and give a complete characterization.

Theorem 4.15. Let θ0, θ1, ..., θn−1 ∈ Q(ω), and suppose that ( 1 ) θi+nj = θi, j ∈ N. ( 2 ) The subset { θ0, θ1, ..., θn−1 } is linearly independent over Q. ( 3 ) θ0 + θ1 + ⋅⋅⋅ + θn−1 = −1. n−1 ( 4 ) ∑θ jθ j+i = pε i − n . j=0 n−1 −1  2  ( 5 ) p k + ∑ηdηd +iηd + j  ∈ Z .  d =0 

Then θ0, θ1, ..., θn−1 are the gaussian periods of degree n. Conversely if θ0, θ1, ..., θn−1 are the gaussian periods of degree n, then properties (1) to (5) hold.

Proof: Confer [1, Thaine, p.38]. 

Inversion Formula The individual numbers (i, j) can be recovered via the inversion formula.

Theorem 4.16. Let p kn + 1 be a prime integer, and let η0, η1, ..., ηn−1 be the periods of degree n. Then

n−1  −1  2   p k + ∑ηdηd +iηd + j  p = 2 or p > 2 and k even,   d =0  (i, j) =   n−1   −1  2 + η η η  >  p k ∑ d d +i d +i+n / 2 p 2 and k odd.   d =0 

Proof: In the sum of triple products ηdηd+iηd+j replace the linear expansion for ηdηd+i, and rescale the index. Then n−1 n−1 n−1 ∑ηdηd +iηd + j = ∑ti,u ∑ηd +uηd + j d =0 u=0 d =0 n−1 n−1 = ∑ti,u ∑ηdηd + j−u . u=0 d =0

Again substitute the linear expansion for ηdηd+j−u, and sum over d, to obtain n−1 n−1 ∑ηdηd +iηd + j = ∑( pε j−u − k)ti,u . d =0 u=0

Now apply the sum identity and simplify. 

Further materials, identities and more, are available in [1, Storer], [1, Thane, p. 37.] or similar sources.

4.6 Cyclotomic Numbers of Short Type

The cyclotomic numbers corresponding to small parameter n will be refer to as cyclotomic numbers of short type (k, n). And those with a large parameter n as cyclotomic numbers of long type (k, n). There is interest in determining closed form formulae for the numbers (i, j) as function of the primes p = kn + 1.

There are several techniques used in the calculations of the cyclotomic numbers. Two of these are the followings.

( 1 ) Quadratic Partition Method. This technique uses the solutions of the system of equations involving the quadratic partition of the prime p and other related parameters. The cyclotomic numbers are expressed in terms of these parameters. This is an effective method for small n only, since as n increases, the system of equations describing the quadratic partition of the prime p becomes very complex.

( 2 ) Exponential Sums Method. This is also an effective method but for small n only since the evaluations of the exponential sums involved for large n are not known.

Case n = 2 Properties (4) and (2), yield the system of equations

(0, 0) + (0, 1) = k − 1 or (0, 0) + (0, 1) = k 2(0, 1) = k 2(0,1) = k − 1, depending on parity of k even or odd respectively. The solutions of this system yield the next results.

Lemma 4.17. If 2k + 1 is a prime, then the cyclotomic numbers of type (k, 2) are given by

( 1 ) (0, 1) = (1, 0) = (1, 1) = k/2, and (0, 0) = (k − 2)/2, if k is even, or

( 2 ) (0, 0) = (1, 0) = (1, 1) = (k − 1)/2, and (0, 1) = (k + 1)/2, if k is odd.

Thus the type (k, 2) matrix is given by either

(k − 2) / 2 k / 2 (k −1) / 2 (k +1) / 2 Ck (2) =   or Ck (2) =   ,  k / 2 k / 2 (k −1) / 2 (k −1) / 2 where the integer k is even or odd respectively.

The numbers (i, j) of type (k, 2) are also related to the numbers, counting multiplicities, of solutions of the equations x + y, x + ay, and −(x + ay), as the variables x and y range over K0, and a fixed nonquadratic residue a in Fp. And to the coefficients, up to k depending on the parity of k, of the linear expansions

η0η0 = aη0 + bη1 and η0η1 = cη0 + dη1, where a, b, c, d ∈ Z respectively. The coefficients are the followings:

( 1 ) a = (0,0) − k, b = (0,1) − k, c = (0,1), and d = (1,1), if k is even, or ( 2 ) a = (0,0), b = (0,1), c = (0,1) − k, and d = (1,1) − k, if k is odd.

As an instance, for p = 11, (k = 5), the coefficients are a = (0,0) = 2, b = (0,1) = 3, c = (0,1) − k = -3, and d = (1,1) − k = −3, so

η0η0 = 2η0 + 3η1, and η0η1 = −3(η0 + η1). Case n = 3 Let p = kn + 1 = 3k + 1 be a prime and g be a primitive root modulo p. The prime p splits in the quadratic field Q(ei2π/3) in four different ways. But the quadratic partition specified by the relations below gives a unique one.

( 1 ) 4p = A2 + 3B2, ( 2 ) A ≡ 1 mod 3, and B ≡ 0 mod 3, and ( 3 ) 3B ≡ (g(p−1)/3 − g2(p−1)/3)A mod p.

Line (2) above specifies a solution (A, ±B) of equation (1). And condition (3) determine a unique B or −B. This in turns determine a unique cyclotomic matrix of type (k, 3), one of the two possible matrices determines by ±B. However, if the prime is large condition (3) is cumbersome to obtain or very difficult to compute The actual 3×3 symmetric matrix is

(0,0) (0,1) (0,2) (0,0) (0,1) (0,2) =   =   Ck (3) (1,0) (1,1) (1,2) (0,1) (0,2) (1,2) . (2,0) (2,1) (2,2) (0,2) (1,2) (0,1)

Lemma 4.18. Let p = kn + 1 = 3k + 1 be a prime such that 4p = A2 + 27B2, and A ≡ 1 mod 3. Then the cyclotomic numbers of type (k, 3) are given by

( 1 ) (0, 0) = (p − 8 + A)/9, ( 2 ) (0, 1) = (1, 0) = (2, 2) = (2p − 4 − A + 9B)/18, ( 3 ) (0, 2) = (2, 0) = (1, 1) = (2p − 4 − A − 9B)/18, and ( 4 ) (1, 2) = (2, 1) = (p + 1 + A)/9.

Proof: Only four of the numbers (i, j), 0 ≤ i, j < 3, are independent. Linear properties (2) and (4) are used to establish the equalities (0, 1) = (1, 0), (0, 1) = (2, 2), (0, 2) = (2, 0), and (1, 2) = (2, 1) in the matrix above. This leads to a system of equations with only three equations (rows/columns sums):

(0, 0) + (0, 1) + (0, 2) = k − 1, (0, 1) + (0, 2) + (1, 2) = k, (0, 2) + (1, 2) + (0, 1) = k.

The other equations needed to complete the calculations, and other details of the proof appears in [1, Dickson, p. 397], also [1, Evans, et al, p. 71. ]. Some of these numbers will be used later on.

Case n = 4 Let p = kn + 1 = 4k + 1 be a prime and g be a primitive root modulo p. The prime p splits in the quadratic field Q(eiπ/2) in four different ways. But the quadratic partition specified by the relations below gives a unique one.

( 1 ) p = A2 + B2, ( 2 ) A ≡ −(2 | p) mod 4, and ( 3 ) B ≡ Ag(p−1)/4 mod p.

Line (2) above specifies a solution (A, ±B) of equation (1). And condition (3) determine a unique B or −B. The parity of k determines one of two cyclotomic matrices of type (k, 4) possible. Using properties (2) and (4) to remove any dependency, the matrices reduce to

(0,0) (0,1) (0,2) (0,3) (0,0) (0,1) (0,2) (0,3)     (0,1) (0,3) (1,2) (1,2) (1,0) (1,0) (?1,2) (0,1) C (4) =   or C (4) =   k (0,2) (1,2) (0,2) (1,2) k (0,0) (1,0) (0,0) (1,0)     (0,3) (1,2) (1,2) (0,1) (1,0) (0,3) (0,1) (1,0)

for k even or odd respectively.

Lemma 4.19. The cyclotomic numbers of type (k, 4) are given by either

( 1 ) 16(0, 0) = p − 11 + 6A, ( 2 ) (0, 1) = (1, 0) = (3, 3) = (p − 3 − 2A + 4B)/16, ( 3 ) (0, 2) = (2, 0) = (2, 2) = (p − 3 − 2A)/16, ( 4 ) (0, 3) = (3, 0) = (1, 1) = (p − 3 − 2A − 4B)/16, ( 5 ) (1, 2) = (2, 1) = (1, 3) = (2, 3) = (3, 1) = (3, 2) = (p + 1 + 2A )/16,

if k is even, or

( 6 ) 16(2, 2) = p − 7 + 2A, ( 7 ) (0, 1) = (1, 3) = (3, 2) = (p + 1 + 2A + 4B)/16, ( 8 ) (0, 2) = (0, 0) = (2, 0) = (p + 1 − 6A)/16, ( 9 ) (0, 3) = (1, 2) = (3, 1) = (p + 1 + 2A − 4B)/16, ( 10 ) (1, 0) = (1, 1) = (2, 1) = (2, 3) = (3, 0) = (3, 3) = (p − 3 − 2A)/16,

if k is odd.

Proof: Only five of the numbers (i, j), 0 ≤ i, j < 4, are independent. Linear properties (2) and (4) are used to establish the equalities or dependencies among the numbers (i, j) in the matrix above. This leads to a system of equations with only three equations (rows/columns sums):

(0, 0) + (0, 1) + (0, 2) + (0, 3) = k − 1, (0, 1) + (0, 3) + 2(1, 2) = k,

2(0, 2) + 2(2, 1) = k.

The other equations used to complete the calculations, and other details of the proof appears in [1, Dickson, p. 397], also [1, Evans, et al, p. 74. ].

Case n = (p − 1)/2 Let p = 2n + 1 be a prime and g be a primitive root modulo p. The quadratic partition of p is not required, and has no part in the calculations of the cyclotomic numbers. This case turns out be a lot easier.

i n+i * i Lemma 4.20. Let Ki = { g , g } be the nth power residues partition of Fp , and ηi = ψ(g ) + ψ(gn+i), where 0 ≤ i < n, and ψ(x) = ei2πx/p. Then the cyclotomic numbers of type (2, n) are the followings.

( 1 ) (0, j) = 1, if gj ≡ 2 mod p, otherwise (0, j) = 0. ( 2 ) (i, j) = 1, if (1 + gi) ≡ j mod p or (1 − gi) ≡ j mod p, otherwise (i, j) = 0.

n i i Proof: Since −1 = g , the element ηi = ψ(g ) + ψ(−g ), for all i ≠ 0, and it follows that

i i i i i i η0ηi = (ψ(1) + ψ(−1))(ψ(g ) + ψ(−g )) = ψ(1+g ) + ψ(−1−g ) + ψ(1−g ) + ψ(−1+g ) = ηa + ηb, = (i, 0)η0 + (i, 1)η1 + ⋅⋅⋅ + (i, n−1)ηn−1 = (i, a)ηa + (i, b)ηb

a i b i where g = 1 + g mod p, and g = 1 − g mod p. And last for i = 0, η0η0 = ηa + 2 = (0, a)ηa + 2, a where g = 2 mod p. Note that ε0 = 2, and εi = 0 for i ≠ 0. 

i n+i 2n+i The cyclotomic numbers of type type (3, n) for the periods ηi = ψ(g ) + ψ(g ) + ψ(g ) derived i n+i 2n+i from the partitions Ki = { g , g , g }, p = 3n + 1, exhibit similar pattern. More generally, for i n+i (k−1)n+i p = kn + 1, the periods of type (k, n) are derived from the cosets Ki = { g , g , ..., g }.

n Remark: It is clear that the complexity of multiplication in Q(ψ(g)+ψ(g )) is w(T0) = 3n − 2. If i n+i the periods ηi = ψ(g ) + ψ(g ) of type (2, n) form a normal basis in characteristic 2, then the multiplication matrix has the minimal complexity possible: 2n − 1. And the periods of type (4, n) has the minimal complexity possible: 4n − 3, etc. Similarly in characteristic 3, the multiplication matrix with respect to a period normal basis of type (3, n) has the minimal complexity possible: 3n − 2. A type (6, n) has the minimal complexity possible: 6n − 5, etc.

4.7 Extension to the Ring Zr This section considers a generalization of the gaussian periods to the residue numbers system Zr, r = pv, p prime and v ≥ 1. This generalization is precisely the gaussian period if v = 1. Only the 2 quadratic case will be given here. Put K0 = < g >, and K1 = gK0, where g is primitive in Zr. The v−1 two K0 and K1 together with the set M = { 0, p, 2p, ..., (p − 1)p }, which is a maximal ideal, forms a partition of Zr.

Lemma 4.21. The quadratic cyclotomic numbers over the ring Zr are as follows.

v−1 v−1 (1) If p = 4c + 1, then (0, 1)v = (1, 0)v = (1, 1)v = p (p − 1)/4, and (0, 0)v = p (p − 5)/4.

v−1 v−1 (2) If p = 4c + 3, then (0, 0)v = (1, 0)v = (1, 1)v = p (p − 3)/4, and (0, 1)v = p (p + 1)/4.

Other advanced details and applications of this generalization are covered in [1, Ding and Helleseth, 1999].

4.8 Extension of the Finite Field Fp

Let r = kn + 1 = pv be a prime power. The nth power residues partitions or cosets of a vth degree extension Ev of the finite field Fp is utilized to augment those of Fp and produce other varieties of periods. This is one of the many possible generalization of the cyclotomic periods. See [3, ∪ ∪ ⋅⋅⋅ ∪ * * → Gurak], [ , Rawarte]. Let K0 K1 Kn−1 be a partition of Fpv , and Tr : Fpv Fp be the absolute trace. The cyclotomic periods are defined by

n−1 Tr(g i xk ) ηi = ∑ω , x∈Ki

where 0 ≤ i < n.

Uniform Cyclotomic Numbers

Definition 1. The cyclotomic numbers are called uniform if the following holds. ( 1 ) (0, 1) = (0, i) = (i, 0) = (i, i) for i ≠ 0. ( 2 ) (1, 2) = (i, j) for i ≠ j, and i, j ≠ 0.

Lemma 2. If the cyclotomic numbers are uniform, then either p = 2 or k is even.

Proof: On the contrary if both p and k are odd, then the integer n is even, and by definition of uniformity it becomes

(0, 0) = (n/2, n/2) = (0, 1).

Further, for n > 2, by uniformity, and property (3),

(1, 2) = (n/2 − 1, n/2) = (0, n − 1) = (0, 1).

This implies that all the cyclotomic numbers in any row or any column are the same, for instance,

(0, j) + (1, j) + (2, j) + ⋅⋅⋅ + (n – 1, j) = (0, 0)n,

in contradiction of the basic property of the cyclotomic numbers (i, j) given by

(0, j) + (1, j) + (2, j) + ⋅⋅⋅ + (n – 1, j) = k – δ, ???

where δ = 0, 1. 

Lemma 3. Let r = kn + 1 = p2v be a prime power and let n  3 be a divisor of pv + 1. Then ( 1 ) The cyclotomic numbers are uniform. ( 2 ) The periods of type (k, n) are linearly dependent.

Proof of (2): If n divides pv + 1, the cyclotomic numbers are uniform since k is even, which imply that the periods are uniform. Consequently there are linear dependencies among the periods, see [1, Baumert et al] for more details.

The corresponding n×n cyclotomic matrices Ck(n) = ( (i, j) ) has at most 3 independent entries (0, 0), (0, 1), and (1, 2).

4.9 Exponential Sums Properties of the Periods Let ηn−1, …, η1, η0 be the periods of degree n, and define the gamma and beta polynomials by n−1 G(x) = ηn−1x + ⋅⋅⋅ + η1x + η0, and B(s,t) = G(s)G(t)/G(st). The restriction of the gamma beta polynomials to the unit disk are called the gamma and beta sums respectively, (or the resolvent of the periods), see [2, Lehmers 1967, 1968].

Properties of the Beta and Gamma Sums The beta and gamma sums satisfy the following properties.

( 1 ) G(θs) = −1 if n divides s, and G(1) + G(θ) + G(θ2) + ⋅⋅⋅ + G(θn−1) = 0.

( 2 ) G(θs) G(θ−s) = (−1)skp if n does not divide s.

G(θ s )G(θ t ) ( 3 ) B(s,t) = − , G(θ s+t )

where and θ = ei2π/n is an nth primitive root of unity.

n−1 i2s/n 1 i2πs / n −i2πst / n ( 4 ) G(e ) and ηt = ∑G(e )e is a discrete Fourier transform pair. n s=0

i2πs/n i2πtlog(x)/p Property (2) stems from the fact that G(e ) = G(χt) is a gaussian sum, where χt(x) = e tlog(x) = ξ is a multiplicative character on Fp of order ord(χ) = d  n. and ξ be an nth root of unity, possibly ξ = ei2π/n.

n−1 n−1 n−1 st i2πst / n 1 i2πs / n −i2πst / n G(χ s ) = ∑ηtξ =∑ηt e and ηt = ∑G(e )e t=0 t=0 n s=0

n−1 Tr(g i xk ) ηi = ∑ω x∈F pa

a gauss sum and the resolvent sum. (1) η0 + η1 + η2 + ⋅⋅⋅ + ην−1 = −1, (2) R0 + R1 + R2 + ⋅⋅⋅ + Rn−1 = 0, (3) Ri = 1 + nηi,

n-1 n-1 st 1 -st G( χ s ) = ∑ηt ξ ω , and ηi = ∑ G( χ s ) ξ , t=0 n s=0 (4) If integer n is invertible in Fp, then are a discrete Fourier transform pair.

Let η0, η1, ..., ηn-1 be periods of type (k, n) and let ηd,0, ηd,1, ..., ηd,n-1 be the extended periods of type (d, k, n). Define the gamma polynomial

n−1 n−2 H(x) = H1(x) = ηn−1x + ηn−2x + ⋅⋅⋅ + η1x + η0, and let

rd-1 t t i2π Tr(γ ) / p r - 1 Hd ( x ) ≡ ∑ x e mod ( x - 1 ) , t=0

v where γ is primitive in Fd, d = [ Fd : Fr ], and r = kn + 1 = p . Another round of modular reduction gives

n-1 i n H d ( x ) ≡ ∑η d , i x mod ( x - 1 ) , i=0

i2π Tr( γ t ) /p ηd ,i = ∑ e j ≡ i mod n are the periods of type (d, k, n). These polynomials will provides a formula for computing the periods ηd,0, ηd,1, ..., ηd,n-1 of type (d, k, n) in terms of the periods η0, η1, ..., ηn-1 of type (k, n).

d n-1 n-2 f(x) = (-H1(x)) = -(ηd,n-1x + ηd,n-2x + ⋅⋅⋅ + ηd,1x + ηd,0), for all x ∈ Ω = { 1 ≠ ξ : ξn = 1 }. The function f(x) is a periodic function, and it has a Fourier representation with coefficients given by

n-1 -1 d -st ηd , t = ∑( - H( s ) ) ξ , n s=0 for t = 0, 1, 2, ..., n − 1.

d rd-2 r-2 x  x  i2π x / (r - 1) i2π Tr( ξ ) / p d+1  i2π x / (r - 1) i2π τ ) / p  G( χs ) = ∑e e = ( -1 ) ∑e e  , x=0  x=0 

v * * d (Hasse- Davenport Relation) Let r = p = kn + 1, < τ > = Fr , and < ξ > = L , r = #L . where.

Other identities and related topics are treated in McEnliece and Rumsey [2].

Hyperperiods The generalization of the periods to hyperperiods replaces the inner term with an exponential sum

p−1 (k ) −i2π (x+sxk ) / p ηs = ∑∑e s∈Kt x=0 see [Lehmers 1967, 1968].

Chapter 5

Period Polynomials

5.1 Definition of Period Polynomials

Let p = kn + 1 be prime, and let g be a primitive root modulo p. The periods ηi and reduced periods gi of type (k, n) are the incomplete exponential sums

p−1 p−1 i2π g jn + d /p i2π g d xn /p ηd = ∑e , and g d = ∑e , x=0 x=0

for d = 0, 1, …, n − 1.

In general, if n > 2 and p ≠ 1 mod n, then the map x → xn is one-to-one, and the periods reduce to the trivial period η0 = η1 = ⋅⋅⋅ = ηn−1. Nontrivial periods of type (k,n) are constructible if and only if prime p = kn + 1.

Definition 5.1. The period polynomial of type (k, n) is defined by

Ψp(x) = (x − η0)(x − η1) ⋅⋅⋅ (x − ηn−1) n n−1 n−2 = x + c1x + c2x + ⋅⋅⋅ + cn−1x + cn.

The associated reduced period polynomial of type (k, n) is defined by

Θp(x) = (x − g0)(x − g1) ⋅⋅⋅ (x − gn−1) n n−1 n−2 = x + d1x + d2x + ⋅⋅⋅ + dn−1x + dn.

From the defining sums for ηi and gi, it is clear that g0 = 1 + nη0, g1 = 1 + nη1, ..., gn−1 = 1 + nηn−1. Accordingly, the period and the reduced period polynomials are equivalent up to a linear transformation. The linking formulae are

n−1 − −n + Ψ p (x)= ∏(x ηi) = n Θ p (nx 1) , i=0

and

n−1 n Θ p (x) = ∏(x −θ i) = n Ψ p ((x −1)/n) . i=0

i The Galois group Gal(Q(η0),Q) = { τ : 0 ≤ i < n } of the extension Q(η0) of the rational numbers i Q is a cyclic group of order n, and the generating map τ is defined by τ (ηj) = ηi+j, this is exponentiation by g. Consequently

n−1 τ −τ (Ψ p (x)) = ∏(x (ηi)) = Ψ p (x) . i=0

In other words, both the period and the reduced period polynomials have integer coefficients.

The traces of ηi and gi are

0 1 n−1 Tr(ηi) = τ (ηi) + τ (ηi) + ⋅⋅⋅ + τ (ηi) = η0 + η1 + ⋅⋅⋅ + ηn−1 = −1, and

Tr(gi) = 0.

These data immediately yield the first coefficients c1 = 1 and d1 = 0 of Ψp(x) and Θp(x). Thus for any p, the coefficients have the pattern

n n−1 n−2 Ψp(x) = x + x + c2x + ⋅⋅⋅ + cn−1x + cn, and

n n−2 Θp(x) = x + dn−2x + ⋅⋅⋅ + dn−1x + dn.

The other coefficients c2, c3, ..., cn of Ψp(x) are more difficult to calculate. Only in a few cases are the period polynomials completely determined. For example, it is quite easy to determine the period polynomials of maximal degree n = p − 1 = deg(Ψp).

The coefficients of Ψp(x) of low degree n = deg(Ψp) are usually determined in terms of the quadratic partition of the prime p. The complexity of the quadratic partition of a prime p increases as n increases. For n = 5 it involves a Diophantine equation in 4 vaiables, see [ , Lehmer].

Two different approaches can be used to investigate the period polynomials.

( 1 ) k = (p − 1)/n fixed and n as a function of the prime p. ( 2 ) n = (p − 1)/k fixed and k as a function of the prime p.

If the parameter k = 2, 3, 4, 5, ... is small, and constant, then the periods are short. The number of terms k remains constant as p increases, but the degree n = deg(Ψp) of period polynomial increases as a function of p. On the other hand, if the parameter n = 2, 3, 4, ... is small, and constant, then the periods are long, (have k terms which increases as p increases), but the degree n = deg(Ψp) of period polynomial remains constant independent of p.

Collection of Period Polynomials For every fixed n, the infinite sequence of primes p = kn + 1 determines an infinite sequence of period polynomials of degree n = deg(ψp). The collection of period polynomials

7 6 5 Ψp(x) = x + x + c2x + ⋅⋅⋅ + c6x + c7 is discussed in [1, Thaine].

5.2 Discriminant and Factorization of Period Polynomials

The discriminant of period polynomial provides various information about the factorization of Ψp(x) over Fq and reciduacity of the primes q others than p.

Definition 5.2. The discriminant of the period polynomial of type (k, n) is given by

η −η 2 D(Ψ p) = ∏ ( i j ) . 0≤ i < j < n

This integer also has the alternate form D(Ψp) = P1P2 ⋅⋅⋅ Pn−1, where the individual terms are

n−1 − 2 P j = ∏(ηi ηi + j) , 0=i

j = 1, 2, …, n − 1. Each Pi is in fact an integer which is divisible by p. Thus the discriminant is itself divisible by pn−1, see [E. Lehmer, 1987].

n(n−1) Lemma 5.3. For every prime p, D(Θp) = n D(Ψp).

Proof: Use gi = 1 + nηi. 

Lemma 5.4. (1) A prime q ≠ p not a divisor of D(Ψp) is an nth power residue modulo p if and only if the equation Ψp(x) ≡ 0 mod q is solvable. (2) Every prime q divisor of D(Ψp) is an nth power residue modulo p.

Proof: More details, see [E. Lehmer, 1968], [KS Williams, 1976]. 

Theorem 5.5. (Discriminant Theorem) If the polynomial f(x) ∈ Fq[x] is monic of degree n and nonzero discriminant D(f), then the quadratic symbol of Fq satisfies the relation

 D( f )  n−s   = (−1)  q 

where s is the number of irreducible factors of f(x) in Fq[x].

Proof: Confer [1, Stepanov, p. 34.]. 

Theorem 5.6. Let n be squarefree and let q be a prime, gcd(p, q) = 1. Let K0 ba a subgroup of l index k in the group of units of Zn. Let l denotes the smallest integer for which q ∈ K0. Then l = lcm(d1, d2 , …, dr ), where Ψn(x) = f1(x)f2(x) ⋅⋅⋅ fr(x) ∈ Fq[x], fi(x), and deg(fi(x) = di. In particular, Ψn(x) splits into linear factors over Fq if q ∈ K0.

Proof: See [Evans, p. 1077, 1989]. 

Theorem 5.7. (Kummer-Dedekind) Same assumption as above, if f(x) is the minimal polynomial of α ∈ Q(η) over the rational numbers, then f(x) splits into irreducible factors over the rational numbers.

Proof: See [Januz, p. 32]. 

5.3 Period Polynomials of Low Degrees

Periods polynomials of low degrees correspond to long periods. The number k = (p − 1)/n of terms in a long period increases as a function of p, and the degree of the period polynomial is a small constant n. These polynomials are investigated here.

Case n = 2 Let p = 2k + 1 be prime. The quadratic period and reduced period polynomials are the simplest case.

Lemma 5.8. The quadratic period and reduced period polynomials are given by

2 (p−1)/2 Ψp(x) = x + x + (1 − (−1) p)/4,

and 2 (p−1)/2 Θp(x) = x − (−1) p. Proof: Compute the minimal polynomial Θp(x) = (x − g0)(x − g1) of the reduced periods, and then use the transformation formula x → (2x + 1)/4 to obtain Ψp(x). The reduced periods of type (k, 2) are the quadratic exponential sums

p−1 p−1 p−1 p−1 2  x  2  ax  i2πx / p   i2πx / p i2πax / p   i2πx / p g 0 = ∑e = ∑ e and g1 = ∑e = ∑ e x=0 x=0  p  x=0 x=0  p 

where a is a quadratic nonresidue modulo p, and ( x | p ) is the quadratic symbol. 

2 The Discriminant of Ψp(x) = x + x + c2 The discriminant of the quadratic period polynomial is dependent on the congruence class of the prime p. The discriminant is given by

2 (p−1)/2 D(Ψp) = (η0 − η1) = (−1) p.

The Power Sums

Lemma 5.9. The power sums of the quadratic periods are given by ( 1 ) S1 = η0 + η1 = −1, 2 2 ( p−1) / 2 ( 2 ) S 2 = η0 +η1 = (1− (−1) p) / 2 , 1− (−1)( p−1) / 2 p  = η k +η k = +   ( 3 ) S k 0 1 S k −1  S k −2 , k > 2.  4 

Irreducibility Conditions

2 (p−1)/2 Lemma 5.10. Ψp(x) = x + x + (1 − (−1) p)/4 ∈ Z[x] is irreducible for all prime p.

2 (p−1)/2 Lemma 5.11. The polynomial Ψp(x) = x + x + (1 − (−1) p)/4 is irreducible over Fq if and only if the integer (−1)(p−1)/2p is a quadratic nonresidue modulo q ≠ 2v.

2 (p−1)/2 Lemma 5.12. (1) Ψp(x) = x + x + (1 − (−1) p)/4 ∈ F2[x] is primitive if and only if (1 − (−1)(p−1)/2p)/4 ≡ 1 mod 2, or equivalently p ≡ ±3 mod 8. 2 (p−1)/2 (p−1)/2 (2) Ψp(x) = x + x + (1 − (−1) p)/4 ∈ F3[x] is primitive if and only if (1 − (−1) p)/4 ≡ −1 mod 3 or equivalently p ≡ 7 mod12.

Table of Period Polynomials of Type (k, 2), p < 100.

2 2 Ψ3(x) = x + x + 1 Ψ43(x) = x + x + 11 2 2 Ψ5(x) = x + x − 1 Ψ47(x) = x + x + 12 2 2 Ψ7(x) = x + x + 2 Ψ53(x) = x + x − 13 2 2 Ψ11(x) = x + x + 3 Ψ59(x) = x + x + 15 2 2 Ψ13(x) = x + x − 3 Ψ61(x) = x + x − 15 2 2 Ψ17(x) = x + x − 4 Ψ67(x) = x + x + 17 2 2 Ψ19(x) = x + x + 5 Ψ71(x) = x + x + 18 2 2 Ψ23(x) = x + x + 6 Ψ73(x) = x + x − 18 2 2 Ψ29(x) = x + x − 7 Ψ79(x) = x + x + 20 2 2 Ψ31(x) = x + x + 8 Ψ83(x) = x + x + 21 2 2 Ψ37(x) = x + x − 9 Ψ89(x) = x + x − 22 2 2 Ψ41(x) = x + x − 10 Ψ97(x) = x + x − 24

Irreducible Quadratic Polynomials Algorithm The structure of the quadratic periods immediately leads to a deterministic algorithm for irreducible quadratic polynomials in Fq[x]. The algorithm described here determines an 2 irreducible quadratic polynomials in Fq[x] in fewer than log(q) trials.

Quadratic Irreducible Polynomial Algorithm Step 1. If the prime q ≡ 3 mod 4, go to step (3). Otherwise, for the prime q ≡ 1 mod 4, choose an arbitrary prime p, and compute the quadratic symbol ( q | p ).

Step 2. If the quadratic symbol( q | p ) ≠ 1, then

2 (p−1)/2 Ψp(x) = x + x + (1 − (−1) p)/4

is an irreducible quadratic polynomial in Fq[x], otherwise repeat step 1. Step 3. Choose an arbitrary prime p ≡ 1 mod 4, and compute the quadratic symbol ( q | p ). 2 (p−1)/2 Step 4. If the quadratic symbol ( q | p ) ≠ 1, then Ψp(x) = x + x + (1 − (−1) p)/4 ∈ Fq[x] is irreducible. Otherwise repeat step 3.

Case n = 3 3 For the primes p = 3k + 2, the map x → x is one-to-one, and the cubic periods η0 = η1 = η3 are trivial. In light of this put p = 3k + 1. The primes p split in the quadratic field Q(ω), ω = (−1+ − 3) / 2 , as p = (a + ωb)(a + ω2b) = a2 − ab + b2.

The cubic period and reduced period polynomials are given in terms of the parameters A and B in the quadratic partition of the primes 4p = A2 + 27B2, A ≡ 1 mod 3, (or p = A2 + 3B2, A ≡ 1 mod 3). Lemma 5.13. The cubic period and reduced period polynomials are given by

3 2 p − 1 p(A + 3) −1 Ψ p (x) = x + x − x − 3 27

and 3 Θp(x) = x − 3px − Ap.

Proof: To determine Ψp(x), compute the minimal polynomial Θp(x) = (x − g0)(x − g1)(x − g2) of the reduced periods, and then use the linear transformation formula x → (3x + 1)/27 to obtain Ψp(x). The reduced periods of type (k, 3) are the cubic exponential sums

p−1 p−1 p−1 i2πax3 / p i2πax3 / p i2πa2 x3 / p g 0 = ∑e , g1 = ∑e , g 2 = ∑e x=0 x=0 x=0

where a is a cubic nonresidue modulo p. To verify that g0, g1, g2 are the roots of the polynomial Θp(x), rewrite each gi in terms of gaussian sums as

p−1 p−1 v 3 ∑ei2πa x / p = ∑(1+ χ(ax) + χ 2 (a 2 x))ei2πx / p x=0 x=0 2 = Gv (χ) + Gv (χ ),

where χ is the cubic residue symbol, and v = 0, 1, 2. Now it is quickly resolved that the three real numbers g0, g1, g2 ∈ R are roots of Θp(x). In addition, these numbers satisfy the inequality 2 1/2 Gv(χ) + Gv(χ ) ≤ 2p cos(ρ), 0 ≤ ρ < π. 

Lemma 5.14. The power sums of the cubic periods are given by

( 1 ) S1 = η0 + η1 + η2 = −1, 2 2 2 ( 2 ) S 2 = η0 +η1 +η2 = (2 p +1) / 3, 3 3 3 ( 3 ) S3 = η0 +η1 +η2 = [ p(A − 6) −1]/ 9 , k k k ( 4 ) S k = η0 +η1 +η2 = −3pS k −2 − ApS k −3 , k > 3.

Proof: The first sum is just the trace of ηi. The other two sums are computed with the recurring relation

c0 S k + c1 S k −1 + + ck −1 S1 + k ck = 0

where c0 = 1, c1 = 1, c2 , ..., cn are the coefficients of Ψp(x), k ≤ 3. 

k The previous recursive formula can be used to compute Tr(α ) ∈ Fq, α a root of an irreducible k n polynomial f(x) over Fq. The sequence { Tr(α ) : k ≥ 0 } is a recurring sequence of period ≤ q − 1. Algorithms of this type are of interest in cryptography, see [ Lenstra ] LNCS 1270, 1716, 1718.

3 2 The Discriminant of Ψp(x) = x + x + c2x + c3

2 2 Lemma 5.15. Let 4p = A + 27B , and A ≡ 1 mod 3, p prime. Then the discriminants of Ψp(x) and Θp(x) are given by

2 2 2 2 2 D(Ψp) = (η0 − η1) (η0 − η2) (η1 − η2) = p B ,

and 2 2 2 6 2 2 D(Θp) = (g0 − g1) (g0 − g2) (g1 − g2) = 3 p B .

Proof: Apply the discriminant formula D(f) = 4a3 + 27b2 of the polynomial f(x) = x3 + ax + b, to 3 Θp(x) = x − 3px − Ap ∈ Z[x], and then trace it back to Ψp(x). 

Corollary 5.16. A prime q ≠ p is a cubic residue modulo p if and only if B ≡ 0 mod q.

Irreducibility Conditions

3 2 Lemma 5.17. Ψp(x) = x + x + c2x + c3 ∈ Z[x] is irreducible for all prime p.

3 Proof: Since p divides the coefficients d1 = 0, d2 = −3p, and d3 = −Ap of Θp(x) = x − 3px − Ap ∈ Z[x], but p2 does not divide −Ap, it follows that it is irreducible. Likewise, any linear transformation of Θp(x) like Ψp(x) is also irreducible. 

3 2 Lemma 5.18. Ψp(x) = x + x + c2x + c3 either splits completely as Ψp(x) = (x − η0)(x − η1)(x − η2) or is irreducible over Fq, q a prime power.

2 Proof: Apply the Discriminant Theorem with the parameters n = 3, and D(Ψp) = (pB) . Specifically

Ψ  D( p )  n−s 3−s   = (−1) = (−1) = 1.  q 

From this it is clear that s = 1 or s = 3, and this is precisely the number of irreducible factors that Ψp(x) has over Fq. 

The quadratic and cubic period polynomials were determined by [1, Gauss, Articles. 356 and 358.].

Table of Period and Reduced Period Polynomials of Type (k, 3), p < 100

3 2 3 Ψ7(x) = x + x − 2x − 1 Θ7(x) = x − 3⋅7x − 1⋅7 3 2 3 Ψ13(x) = x + x − 4x + 1 Θ13(x) = x − 3⋅13x − 15⋅13 3 2 3 Ψ19(x) = x + x − 6x − 7 Θ19(x) = x − 3⋅19x − 7⋅19 3 2 3 Ψ31(x) = x + x − 10x − 11 Θ31(x) = x − 3⋅31x − 4⋅31 3 2 3 Ψ37(x) = x + x − 12x + 11 Θ37(x) = x − 3⋅37x − 11⋅37 3 2 3 Ψ37(x) = x + x − 12x + 11 Θ43(x) = x − 3⋅43x − A11⋅43 3 2 3 Ψ37(x) = x + x − 12x + 11 Θ37(x) = x − 3⋅61x − 11⋅61 3 2 3 Ψ37(x) = x + x − 12x + 11 Θ37(x) = x − 3⋅67x − 11⋅67 3 2 3 Ψ37(x) = x + x − 12x + 11 Θ37(x) = x − 3⋅73x − 11⋅73 3 2 3 Ψ37(x) = x + x − 12x + 11 Θ37(x) = x − 3⋅83x − 11⋅83 3 2 3 Ψ37(x) = x + x − 12x + 11 Θ37(x) = x − 3⋅97x − 11⋅97

Case n = 4 In the quartic case the prime 4k + 1 split completely as product of two distinct primes p = (a + ib)(a − ib) in the quadratic numbers field Q(i). The conditions (1) a ≡ 1 mod 4, and (2) b ≡ ag(p−1)/4 mod 4, uniquely determine the parameters a and b in the quadratic partition p = a2 + 4b2.

Lemma 5.19. The quartic period and reduced period polynomials are given by

2 4 3 3p − 3 2 (2a + 3) p −1 (4a + 8a − p + 7) p −1 Ψ p (x) = x + x − x − x − 8 16 256 and

2 2 2 Θ4(x) = (x − p) − 4p(x − a) ,

if the parameter k in p = kn + 1 = 4k + 1 is even. Otherwise

2 4 3 p − 3 2 p − (a +1)2 p −1 (4a − 8a − 9 p − 2) p −1 Ψ p (x) = x + x − x − x − 8 16 256

and 2 2 2 Θp(x) = (x + 3p) − 4p(x − a) ,

if the parameter k in p = kn + 1 = 4k + 1 is odd.

The reduced periods of type (k, 4) are the quartic exponential sums

p−1 p−1 p−1 p−1 i2πax4 / p i2πax4 / p i2πa2 x4 / p i2πa3x4 / p g 0 = ∑e , g1 = ∑e , g 2 = ∑e , g3 = ∑e x=0 x=0 x=0 x=0

4 3 2 where a is a quartic nonresidue modulo p. The four roots η0, η1, η2, η3 of Ψp(x) = x + x + c2x + c1x + c0 ∈ Z[x] are

2 p ± 2(−1)( p −1) / 8 (p ± a p ) .

2 The value of the quadratic symbol ( 2 | p ) = (−1)( p −1) / 8 determine the nature of the roots. The

roots are distinct and real if p ≡ 1 mod 8, i.e., η0, η1, η2, η3 ∈ R. Otherwise, the roots are distinct and nonreal if p ≡ 5 mod 8, i.e., η0, η1, η2, η3 ∈ C−R.

4 3 2 The Discriminant of Ψp(x) = x + x + c2x + c3x + c4

Lemma 5.20. The discriminant D(Ψp) of Ψp(x) is given by

− 2 2 14 2 3 2 ( p2 1) / 8 2 D(Ψp ) = ∏(ηi −η j ) =2 b p [a + (1− 2(−1) )p ] . 0≤i< j<4

Irreducibility Conditions

4 3 2 Lemma 5.21. Ψp(x) = x + x + c2x + c3x + c4 ∈ Z[x] is irreducible for all prime p.

2 2 2 2 2 4 2 2 2 2 Proof: Since p = a + b , and Θ4(x) = (x − p) − 4p(x − a) = x − 6px + 8apx + b p or (x + 3p) 2 2 − 4p(x − a) ∈ Z[x], it readily follows that p  d1, d2, d3, d4, but p does not divide d4, (these are the coefficients of Θ4(x)). This confirms the irreducibility claim, and the same applies to Ψp(x). 

4 3 2 Lemma 5.22. The polynomial Ψp(x) = x + x + c2x + c3x + c4 is irreducible over Fq if and only if the quadratic symbol ( p  q ) = −1. Otherwise ( p  q ) = 1, and it has either two quadratic or four linear factors.

Proof: Use the discriminant theorem. 

5.4 Period Polynomials of High Degrees The period polynomials of high degrees n = (p − 1)/k correspond to short periods with k constant and n variable. The integer k is the number of terms in each period and n is the degree of the periods.

The calculations of the coefficients of periods polynomials of highest degrees n = p − 1 or (p − 1)/2 do not require information about the partition of the primes p = kn + 1.

Case n = p − 1 On the upper end of the degree scale, there are the period polynomials of maximal degree n = p − 1. Since the cosets are { yjn } = { 1 }, { yjn+1 = y }, ..., { yjn+n−2 } = { yn−2 }, the periods of degree 2 n−1 n are just the nontrivial pth roots of unity η0 = ω, η1 = ω , ..., ηn−1 = ω , so

n n−1 Ψp(x) = Φp(x) = x + x + ⋅⋅⋅ + x + 1.

The period and cyclotomic polynomials of degree n = p − 1 coincide.

The Discriminant of Ψp(x) = Φp(x)

Lemma 5.23. The discriminant D(Φp) of Φp(x) is given by p??? Irreducibility Conditions As a polynomial with integers coefficients, this polynomial is always irreducible over the rational numbers Q ⊂ R, but as a polynomial with coefficients in the finite field Fq its irreducibility is a function of the order of q modulo n; also note that it cannot be primitive.

n n−1 Lemma 5.24. Ψp(x) = x + x + ⋅⋅⋅ + x + 1 ∈ Z[x] is irreducible.

Lemma 5.25. The polynomial Ψp(x) is irreducible over Fq if and only if the integer q is of order p − 1 modulo p.

ω Proof: Let be a pth root of unity in the extension Fqn of Fq, and let d be the smallest integer d such that q ≡ 1 mod p, p = n + 1. Then each root of Ψp(x) is repeated ϕ(p)/d = n/d times in the conjugates sequence

2 d −1 d d +1 n−1 d −1 ω, ω q , ω q , ...., ω q ,ω q = ω, ω q = ω q , ..., ω q = ω q .

Hence the minimal polynomial of ω is a divisor of the polynomial

n−1 d −1 n / d qi  qi  ∏ (x −ω ) =∏(x −ω ) i=0  i=0 

which is irreducible if q has order p − 1 = n modulo p. Conversely, if Ψp(x) ∈ Fq[x] is irreducible then the conjugates sequence consists of n distinct elements. This implies that the exponents sequence 1, q, q2, ..., qn−1 is a permutation of 0, 1, 2, ..., n − 1. Hence q has order p − 1 = n modulo p. 

In general the polynomial

n−1 qi f (x) = ∏(x −ω )∈ Fq[x] i=0

∈ α ∈ is always a power of the minimal polynomial mα(x) Fq[x] of the element Fqn . The exponent is determined by the order of q modulo p. Moreover, if the integer q does not have order p - 1 modulo p, then the polynomial f(x) splits into one irreducible factor over Fq of degree d raised to the power (or multiplicity) ϕ(p)/d = (p − 1)/d.

Case n = (p − 1)/2 Let p = 2n + 1 be prime, g be a primitive root modulo p, and ω be a pth root of unity. In this 2 2 n−1 n−1 case, the cosets are K0 = { −1, 1 }, K1 = { −g, g }, K2 = { −g , g }, ..., Kn−1 = { −g , g }, and the periods are

2 2 n−1 n−1 ω + ω −1 , ω g + ω − g , ω g + ω − g , ..., ω g + ω −g

n n−1 n−2 The period polynomial Ψp(x) = x + x + c2x + ⋅⋅⋅ + cn−1x + cn ∈ of degree n = (p − 1)/2, −1 which is the minimal polynomial of η0 = ω + ω , can be computed utilizing several different methods. Two of these methods are

(1) The Recursive Formula Method, and (2) Nonrecursive Method, (using power sums).

The Recursive Formula Method The recursive formula used to compute Ψp(x) over the integers Z is

fv(x) = xfv−1(x) − fv−2(x),

with initial conditions f0(x) = 1, and f1(x) = x + 1, for all v ≥ 2. The recursion ends at the nth step with the polynomial Ψp(x) = fn(x).

The recursion is derived from the identity

n n 1+ 2∑cos(ix) = 0, and 1+ 2∑Ti (x / 2), i=1 i=1

where η0 = 2cos(ix) is a complex number, the polynomial Tn(x) = cos(narcos(x)) satisfies the recursive relation Tn(x) = 2xTn−1(x) − Tn−2(x), with initial conditions T0(x) = 1, and T1(x) = x, see [1, Rybowicz].

An effective algorithm for computing the coefficients of polynomials defined by difference equations of second order, or recursive formula, is outlined in [1, Bini and Pan, p. 66.]. In the case of fn(x), this is written as

 f n (x)  x −1 f n−1 (x)   =    .  f n−1 (x) 1 0  f n−2 (x)

Nonrecursive Method A nonrecursive formula for computing these polynomials specifies the coefficients as certain binomial coefficients. The exact expression, cf. [1, Gauss, Article. 337], [{2, Gurak], and [1, Lehmer], has the shape

Lemma 5.26. Let p = 2n + 1 be a prime. Then

n n −[(k +1) / 2] [k / 2]   k Ψp (x) = ∑(−1)  x k =0  [k / 2] 

where the bracket [ ? ] is the largest integer function and the braces ( ? ) is the binomial symbol.

Proof: Let xi + x-i = ωi + ω-i, 0 ≤ i ≤ n, and let

n/2 k (−1) n n − k  n −2k = n −n =   −1 g n (x) x + x ∑  (x + x ) k =0 n − k  k 

i -i jn -jn j(n+1) -j(n+1) Since each ω + ω ≠ 2 is a distinct root of Ψp(x) and ω + ω = ω + ω , it follows that each ωi + ω-i is also a root of the polynomial

n+1 −(n+1) n −n gn+1(x) − gn(x) = x + x − (x + x ) = (x − 2)Ψp(x)

of degree n + 1. Hence after simplification, this becomes

n/2 (−1) k n n − k  (n−1) /2 (−1) k n n −1− k  =   n−2k +   n−1−2k Ψ p (x) ∑  x ∑  x k =0 n − k  k  k =0 n − k  k 

n/2 n − k  n −1− k  k     n−k = ∑(−1)  x +  x . k =0  k   k 

The identity −ω−1(−1 − ω2) = ω + ω−1 permits a calculation of the norm of the element ω + ω−1 up to a sign:

2n N(ω + ω −1 ) = ∏(ω v + ω −v ) v=0 2n −v 2v = ∏(−ω )(−1+ ω ) = Φ p (−1) = 1. v=0

Thus the norm N(ω + ω−1) = ±1.

The Discriminant of Ψp(x)

(p−3)/2 Lemma 5.27. The discriminant of Ψp(x) is given by D(Ψp) = p .

Irreducibility Condition Unlike the previous case this polynomial is not always irreducible over the rational numbers Q ⊂ R, but its irreducibility in both over rational numbers Q and over the finite field Fq is a function of the q and n etc..

n n−1 n−2 Lemma 5.28. Ψp(x)= x + x + c2x + ⋅⋅⋅ + cn−1x + cn ∈ Z[x] is irreducible if 2n + 1 is prime. Proof: Cf [Lehmer 1930].

n n−1 Lemma 5.29. Let p = 2n + 1. Then Ψp(x) = x + x + ⋅⋅⋅ ± 1 is irreducible over Fq if and only if the integer q is of order n or 2n modulo p.

n n−1 For the important case Ψp(x) = x + x + ⋅⋅⋅ + 1 ∈ F2[x] there are a few sequences of primes 2n + 1 that satisfy the condition in the previous lemma. These are sequences or clusters of primes:

( 1 ) If p = 2n + 1, n = 4c + 3 prime, then 2 has order n modulo p. ( 2 ) If p = 2n + 1, n = 4c + 1 prime, then 2 is a primitive root modulo p. ( 3 ) If p = 4k + 1, k prime, then 2 is a primitive root modulo p. These primes occur in clusters.

The polynomial Ψp(x) can also be primitive but only over the finite fields F2 and F3. Recall that a normal polynomial is a polynomial with linearly independent roots over the coefficients field.

n n−1 Theorem 5.30. If both n and 2n + 1 are primes, then the period polynomials Ψp(x) = x + x + ⋅⋅⋅ + 1 ∈ F2[x] is a primitive normal polynomial.

This theorem is a direct consequence of the primitive optimal normal basis theorem for n degree

extension Fqn over F2.

Table of Period Polynomials of Type (2, n).

Ψ0(x) = 1 Ψ3(x) = x + 1 2 Ψ5(x) = x + x − 1 3 2 Ψ7(x) = x + x − 2x − 1 4 3 2 * Ψ9(x) = x + x - 3x − 2x + 1 5 4 3 2 Ψ11(x) = x + x − 4x − 3x + 3x + 1 6 5 4 3 2 Ψ13(x) = x + x − 5x − 4x + 6x + 3x − 1 7 6 5 4 3 2 * Ψ15(x) = x + x − 6x − 5x + 10x + 6x − 4x − 1 8 7 6 5 4 3 2 Ψ17(x) = x + x − 7x − 6x + 15x + 10x − 10x − 4x + 1 9 8 7 6 5 4 3 2 Ψ19(x) = x + x − 8x − 7x + 21x + 15x − 20x − 10x + 5x + 1 10 9 8 7 6 5 4 3 2 * Ψ21(x) = x + x − 9x − 8x + 28x + 21x − 35x − 20x + 15x + 5x − 1 11 10 9 8 7 6 5 4 3 2 Ψ23(x) = x + x − 10x − 9x + 36x + 28x − 41x − 35x + 35x + 20x − 6x - 1 12 11 10 9 8 7 6 5 4 3 2 * Ψ25(x) = x + x − 11x − 10x + 45x + 36x − 63x − 41x + 70x + 21x − 26x − 7x − 1

The entries with a star do not correspond to primes p = 2n + 1. These were generated with the recursive formula given above.

Table of Primitive Period Polynomials of Type (2, n) over F2

Ψ3(x) = x + 1 2 Ψ5(x) = x + x + 1 3 2 Ψ7(x) = x + x + 1 5 4 2 Ψ11(x) = x + x + x + x + 1 6 5 4 Ψ13(x) = x + x + x + x + 1 9 8 6 5 4 Ψ19(x) = x + x + x + x + x + x + 1 11 10 9 8 7 6 5 4 3 2 Ψ23(x) = x + x − 10x − 9x + 36x + 28x − 41x − 35x + 35x + 20x − 6x − 1

There are also cases like Ψ19(x), Ψ37(x), ... in F2[x], (for n = 9, 18, ... and p = 2n + 1 = 19, 37, ... ), which are primitives, but the theory has not been worked out. A larger table of the primitive polynomials Ψp(x) for 11 ≤ p ≤ 201, (or n < 100), appears in [1, Rybowicz ].

n n n−1 The norm N(α) = (−1) f(0) of any root α of a primitive polynomial f(x) = x + an−1x + ⋅⋅⋅ + a1x n n−1 n−2 + a0 ∈ Fq[x] must be a primitive element in Fq. Thus Ψp(x) = x + x + cn−2x + ⋅⋅⋅ + c1x + c0

∈ F3[x] is a potential primitive polynomial if and only if n = 4c +1 or 4c + 2, use the nonrecursive formula to verify that c0 = ±1. This leads to primes of the form p = 2n + 1 = 8c +3 or 8c + 5.

Irreducible Period Polynomials of Type (2, n) in F3[x]

2 Ψ5(x) = x + x − 1, primitive. 3 2 Ψ7(x) = x + x − 2x − 1, irreducible but not primitive. 5 4 3 Ψ11(x) = x + x − x + 1, primitive. 8 7 6 3 2 Ψ17(x) = x + x − x + x − x − x + 1, irreducible but not primitive. 9 8 7 6 3 2 Ψ19(x) = x + x − x − x + x + x + 2x + 1, primitive. 10 9 8 7 6 5 4 3 2 * Ψ21(x) = x + x − 9x − 8x + 28x +x − 35x − 20x + 15x + 5x − 1 .? 11 10 9 8 7 6 5 4 3 2 Ψ23(x) = x + x − 10x − 9x + 36x + 28x − 41x − 35x + 35x + 20x − 6x − 1?. 12 11 10 9 8 7 6 5 4 3 2 * Ψ25(x) = x + x − 11x − 10x + 45x + 36x − 63x − 41x + 70x + 21x − 26x − 7x − 1 .? 15 14 Ψ31(x) = x + x − ⋅⋅⋅ − 1, irreducible but not primitive. 63 62 Ψ127(x) = x + x − ⋅⋅⋅ − 1, irreducible but not primitive. n n−1 r Ψp(x) = x + x − ⋅⋅⋅ − 1, p = 2n + 1 = 2 − 1, is irreducible if 3 has order n or 2n −1 n modulo p, but not primitive since the norm N(ω+ω ) = (−1) Ψp(0) = 1 is not primitive in F3. 128 127 Ψ257(x) = x + x − ⋅⋅⋅ + 1 is irreducible since 3 has order 256 modulo 257, but not primitive −1 n since the norm N(ω+ω ) = (−1) Ψp(0) = 1 is not primitive in F3. 32767 32767 Ψ65535(x) = x + x − ⋅⋅⋅ + 1 is irreducible since 3 has order 65534 modulo 65535, but not −1 n primitive since the norm N(ω+ω ) = (−1) Ψp(0) = 1 is not primitive in F3.

Lemma 5.31. Let ω ∈ GF(qkn) be an element of order ord(ω) = kn + 1, where kn + 1 is a prime and k is an even integer. Then the degree d = deg(Ψd(x)) of the minimal polynomial Ψd(x) of ω + ω−1 is the smallest integer such that qd ≡ ±1 mod (kn + 1).

Proof: GF(qd) is the smallest subfield of GF(qkn) containing ω + ω−1, so

kn−1 d −1 kn/d −1 qi  −1 qi  kn / d f (x) = ∏(x − (ω +ω ) )= ∏(x − (ω +ω ) ) = Ψ p (x) . i=0  i=0 

−1 The same apply to a linear combination aω + bω , 0 ≠ a, b ∈ Fq. The instance of kn + 1 = 2n + 1 n 2 prime and 2 ≡ ±1 mod (2n + 1) is a special case with f(x) = Ψp(x) .

5.5 Coefficients Calculations Via Power Sums Method The linking formulae and Newton’s identities are some of the basic tools used to compute the coefficients of period polynomials.

The dth power sums Sd of the root of the period polynomials, which appear in Newton’s identity, are defined by

d d d d S d = η0 +η1 +η2 ++ηn−1 .

The dth sum Sd is computed recursively from a given list S0, S1, …, Sd−1. Several of the sums Sd for small parameter k in the prime p = kn + 1 have been determined. This section introduces the methods utilized to compute these integers.

−1 Lemma 5.32. (Lehmers 1983) Let p = 2n + 1 be a prime, η0 = ω + ω , and let d ≥ 1. Then

p d  d −1   S d = − 2 + ∑   . 2 2u ≡ d mod p  u

Proof: As the index runs from i = 1 to p − 1, each term in the list (ω + ω−1)v, (ω2 + ω−2)v, ..., (ωp−1 + ω−(p−1))v, with v fixed, is repeated twice. Thus

p−1 i −i d 2S d = ∑(ω + ω ) i=1 d p−1 d  i(2u−d ) = ∑ ∑ω u=0 u  i=1 d d    = ∑ (pδ d ,2u −1), u=0 u 

where δi,j is the unit impulse function. The claim follows from this. 

The pattern of the even and odd power sums are simply

p  d  p d  − d −1   = − d −1 +   S d = 2 +   and S d 2   . 2 d/2 2  u

with 2u ≡ d mod p, respectively. For example, S1 = −1, S2 = p − 2, S3 = −4, S4 = 3p − 8, ... These values immediately lead to a recursive determination of the coefficients of Ψp(x). The first few are c0 = 1, c1 = −S1 = 1, c2 = −(c0S2 + c1S1)/2 = (3 − p)/2, c3 = −(c0S3 + c1S2 + c2S1)/3 = (5 − p)/2, 2 c4 = −(c0S4 + c1S3 + c2S2 + c3S1)/4 = (p − 12p + 35)/8, … … … −1 k ck = ∑ Sv ck −v , k < p . k v=1

Case n = (p − 1)/3 In the next result for p = 3n + 1, the period polynomials Ψp(x) are polynomials of degree deg(Ψp(x)) = n. The degree n = (p − 1)/3 increases as p increases, but the number of terms in each period is three independently of p. The first one is

a a2 η0 = ω +ω +ω ,

3 where 1 ≠ a, a = 1. There are two possibilities: a = (−1+ − 3) / 2 in Fp.

The power sums for small d is as follows.

Lemma 5.33. (Lehmers 1983) If d < p , then

 d −1 p 3s2s  − 3 +    if d = 3s, S d =  3  s  s   d −1  − 3 otherwise.

Proof: See [1, Lehmer (Short period), p. 749.]. 

These values immediately lead to a recursive determination of the coefficients of Ψp(x). The first few are

c0 = 1, c1 = −S1 = 1, c2 = −(c0S2 + c1S1)/2 =2 c3 = −(c0S3 + c1S2 + c2S1)/3 = (14 − 2p)/3, c4 = −(c0S4 + c1S3 + c2S2 + c3S1)/4 = (35 − 2p)/3, c5 = −(c0S5 + c1S4 + c2S3 + c3S2 + c4S1)/5 = (35 − 2p)/3, 2 c6 = −(c0S6 + c1S5 + c2S4 + c3S3 + c4S2 + c5S1)/6 = (2p − 73p + 728)/9, 2 c7 = −(c0S7 + c1S6 + c2S5 + c3S4 + c4S3 + c5S2 + c6S1)/7 = (2p − 115p + 1976)/9, 2 c8 = −(c0S8 + c1S7 + c2S6 + c3S5 + c4S4 + c5S3 + c6S2 + c7S1)/8 = (4p − 272p + 5434)/9, 3 2 c9 = −(c0S9 + c1S8 + c2S7 + c3S6 + c4S5 + c5S4 + c6S3 + c7S2 + c8S1)/9 = (4p − 354p + 11298p − 135850)/81, …

Table of Period Polynomials of Type (3, n). A small table of the polynomials Ψp(x) is provided here. The parameter a is the smallest value of a = (−1+ − 3) / 2 in Fp.

2 Ψ7(x) = x + x + 2, a = 2, 4 3 2 Ψ13(x) = x + x + 2x − 4x + 3, a = 3,

6 5 4 3 2 Ψ19(x) = x + x + 2x − 8x − x + 5x + 7, a = 7, 10 9 8 7 6 5 4 3 2 Ψ31(x) = x + x + 2x − 16x − 9x − 11x + 43x + 6x + 63x + 20x +25, a = 5, 12 11 10 9 8 7 6 5 4 3 2 Ψ37(x) = x + x + 2x − 20x − 13x − 19x + 85x + 51x + 94x − 2x − 13x − 77x + 47, a = 10, 14 13 12 11 10 9 8 7 6 5 4 3 ψ43(x) = x + x + 2x − 24x − 17x − 27x + 143x + 81x + 83x − 209x + 163x + 88x + 235x2 − 168x + 79, a = 6.

Case n = (p − 1)/4 Similarly, for p = 4n + 1, and Ψp(x) is the minimal polynomial of the period

a a2 a3 −1 a −a η0 = ω +ω +ω +ω = ω +ω +ω +ω

4 1/2 where 1 ≠ a, a = 1. There is one possibility: a = (−1) in Fp.

Lemma 5.34. (Lehmers 1983) If d < p , then

 2 d −1 p d   − 4 +   if d = 2s, S d =  4 d / 2  d −1  − 4 otherwise.

Proof: See [1, Lehmer (Short period), p. 754.]. 

These values immediately lead to a recursive determination of the coefficients of Ψp(x). The first few are

c0 = 1, c1 = −S1 = 1, c2 = −(c0S2 + c1S1)/2 = −(p − 5)/2 c3 = −(c0S3 + c1S2 + c2S1)/3 = −(p − 15)/2, 2 c4 = −(c0S4 + c1S3 + c2S2 + c3S1)/4 = (p − 28p + 195)/8, 2 c5 = −(c0S5 + c1S4 + c2S3 + c3S2 + c4S1)/5 = (p − 48p + 663)/8, 3 2 c6 = −(c0S6 + c1S5 + c2S4 + c3S3 + c4S2 + c5S1)/6 = −(p − 69p + 1655p − 13923)/48, 3 2 c7 = −(c0S7 + c1S6 + c2S5 + c3S4 + c4S3 + c5S2 + c6S1)/7 = −(p − 99p + 3599p − 49725)/48, …

Table of Period Polynomials of Degree n and Type (4, n). 1/2 A small table of the polynomials Ψp(x) is provided here, a = (−1) .

Ψ5(x) = x + 1, 3 2 Ψ13(x) = x + x − 4x + 1, 4 3 2 Ψ17(x) = x + x − 6x − x + 1, 7 6 5 4 3 2 Ψ29(x) = x + x − 12x − 7x + 28x + 14x − 9x + 1, 9 8 7 6 5 4 3 2 Ψ37(x) = x + x − 16x − 11x + 66x + 32x − 73x − 7x + 7x + 1, 10 9 8 7 6 5 4 3 2 Ψ41(x) = x + x − 18x − 13x + 91x + 47x − 143x − 7x + 72x − 23x + 1,

Techniques for computing the period polynomials with respect to composite parameters kn + 1 also appear in { 1, Lehmers]. More materials about the factorizations of period polynomials and related questions, see [1, 2, Gurak], [1, Gupta and Zagier], [2, Lehmer ], and [1, Meyers], etc. The period polynomials are very closely related to the Dickson polynomials of the first and second kinds:

n/2 n n − k  =   − k n−2k Dn (x,a) ∑  ( a) x , k =0 n − k  k 

and n/2 n − k  =   − k n−2k En (x,a) ∑  ( a) x . k =0  k 

The recursive relations for these polynomials are

Dn+2(x) = xDn+1(x) − Dn(x), with initial conditions D0(x) = 2, and D1(x) = x, and

En+2(x) = xEn+1(x) − En(x), with initial conditions D0(x) = 1, and D1(x) = 2x. The exact expression is

D (x,1) − D (x,1) Ψ (x) = n+1 n . p x − 2

5.6 Sequences of Period Polynomials The nth power residuacity of q modulo p is employed to determine the irreducibility status of the nth period polynomials, and generate sequence of irreducible polynomials.

Theorem 5.35. Let p = kn + 1 = 2uk + 1, and q be primes, and suppose that q is a quadratic nonresidue modulo p. then the period polynomial

n n−1 n−2 2 Ψp(x) = x + x + c2x + ⋅⋅⋅ + cn−2x + cn−1x + cn ∈ Fq is irreducible for all n = = 2u.

Proof: The hypothesis ( q | p ) = −1 implies that q(p−1)/n ≠ 1 mod p, so q is an nth power nonresidue mod p. The latter in turn implies that the periods η0, η1, ..., ηn−1 are linearly

independent over Fq. 

Example 5.36. Take q = 3, and p = 3⋅2ua + 1. Then q = 3 is a quadratic nonresidue modulo p. Accordingly the period polynomial

n n−1 n−2 2 Ψp(x) = x + x + c2x + ⋅⋅⋅ + cn−2x + cn−1x + cn ∈ F3 is irreducible for all n = 2u.

8 7 6 5 4 3 2 * Ψp(x) = x + x + c2x + c3x + c4x + c5x + c6x + c7x + c8

is irreducible if ( p | q ) = −1. Otherwise ( p | q ) = 1 and it has 1, 2, 4, or 8 factors.

12 11 10 9 8 7 6 5 4 3 2 * Ψ25(x) = x + x − 11x − 10x + 45x + 36x − 63x − 41x + 70x + 21x − 26x − 7x − 1

The discriminant of Ψpq(x) is given in [1, Brillhart].

Chapter 6

Periods Normal Bases

6.1 Definitions and Existence

Let r ∈ ℕ be an integer such that gcd(r, q) = 1, and put ϕ(r) = kn, where ϕ is the totient function. Let ω be an rth root of unity in the rth cyclotomic field extension Fq(ω) of Fq. The finite field Fq(ω) is an extension of Fq of degree m = [ Fq(ω) : Fq ], where m  kn is the smallest integer such that qm − 1 ≡ 0 mod r. The constraint gcd(r, q) = 1 ensures the existence of nontrivial rth roots of unity in characteristic char(Fq).

* Definition 6.1. Let K0, K1, ..., Kn−1 be subsets of Z r . The quasi-periods are defined by

x x x η0 = ∑ω , η1 = ∑ω , ..., ηn−1 = ∑ω . x∈K0 x∈K1 x∈Kn−1

The set of elements { η0, η1, ..., ηn−1 } generated by an arbitrary list of subsets K0, K1, ..., Kn−1 is a

potential basis of Fqn over Fq. Normal bases require conjugate elements:

q q2 qn−1 ηi , ηi+1 = ηi , ηi+2 = ηi , ..., ηi+n−1 = ηi .

A simple method for constructing conjugate elements is described here.

* 2 Lemma 6.2. Let K be a subset of Z r , and suppose that K0 = K, K1 = qK, K2 = q K, ..., Kn−1 = n−1 * q K are distinct subsets of Z r . Then the quasi-periods η0, η1, ..., ηn-1 are conjugates over Fq.

σj Proof: Take an automorphism of Fqn . Then q j j   σ j η = η q =  ω x  = η ( i ) i  ∑  i+ j ▄  x∈Ki 

A set of conjugates elements might fail to be a normal basis simply because either the trace is identically zero or the trace is not an element of Fq.

2 n−1 * i j Lemma 6.3. Let K ∪ qK ∪ q K ∪ ⋅⋅⋅ ∪ q K = Z r , where q K ≠ q K for i ≠ j, and let n be a divisor of ϕ(r) = kn, r squarefree. Then

( 1 ) The quasi-periods η0, η1, ..., ηn−1 are conjugates over Fq. ( 2 ) Tr(ηi) = η0 + η1 + ⋅⋅⋅ + ηn−1 = ±1.

Proof: ( 2 ) Since the subsets are disjoint, and r is squarefree,

x Tr(ηi ) = ∑ω = µ(r) = ±1, gcd(x,r)=1

where µ is the Mobius function. ▄

* In general a union K0 ∪ K1 ∪ K2 ∪ ⋅⋅⋅ ∪ Kn−1 = Z r of nondisjoint subsets, perhaps all of the subsets of the same cardinality does not satisfy the nonzero trace property. Likewise nonsquarefree integers r yield periods of zero traces.

The construction of period normal bases requires well-structured partitions of the multiplicative * group Z r . The best-known construction method of period normal bases utilizes cosets partitions * * of Z r . The cosets of nth power residues and non-residues of the multiplicative group Z r , (also the multiplicative groups of extensions of Zr) have the structure sought after. The partition of nth * power residues and nonresidues consists of n distinct cosets K0 ∪ K1 ∪ K2 ∪ ⋅⋅⋅ ∪ Kn−1 of Z r , * each of cardinality k. The group Z r has one or more subgroups of order n, depending on r, and * each subgroup induces a coset partition of Z r .

* Definition 6.4. If the integer r is a prime then the subset K ⊂ Z r of nth power residues is a unique subgroup, and the induced periods η0, η1, ..., ηn−1 are called prime gaussian periods, otherwise nonprime gaussian periods.

For applications to bases of finite field extension Fqn of Fq, it is convenient to take g = q if the

integer q is primitive in Fp, (or a nth power nonresidue). Under this condition the gaussian periods of type (k, n) are written in the more convenient form

k −1 k −1 k −1 q jn q jn+1 q jn+n−1 η0 = ∑ω , η1 = ∑ω , ..., ηn−1 = ∑ω . j=0 j=0 j=0

6.2 Existence of Period Normal Bases

One of the main problem in the theory of normal bases of finite fields is to determine under what

− n condition a list of conjugate elements η0, η1, ..., ηn 1 forms a normal basis of Fq over Fq.

Specifically, is the trivial solution a = (an−1,...,a1,a0) = 0 the only solution of the equation

a0η0 + a1η1 ++ an−1ηn−1 = 0.

The focus here is on the identification of period normal bases.

Some Necessary Properties of Normal Bases (1) The elements η0, η1, ..., ηn−1 are conjugates. (2) The trace Tr(η0) = ⋅⋅⋅ = Tr(ηn−1) = η0 + η1 + ⋅⋅⋅ + ηn−1 ≠ 0 is an element in Fq. (3) a0η0 + a1η1 + ⋅⋅⋅ + an−1ηn−1 = 0 ⇔ (an−1,...,a1,a0) = (0,...,0,0).

Property (3) is sufficient for a basis, but not for a normal basis. A general normal basis test automatically verifies all theses properties. Several results or tests are stated below.

* Theorem 6.5. Let K be an arbitrary subset of Z r . Then the quasi-periods derived from this set

is a normal basis of Fqn over Fq if the following conditions hold.

* 2 n−1 i j (1) The union Z r = K ∪ qK ∪ q K∪ ⋅⋅⋅ ∪ q K is a disjoint union, i.e., q K ≠ q K for i ≠ j, where n is a divisor of ϕ(r) = kn. n (2) For all irreducible factor a(x) of x – 1 = a(x)b(x) ∈ Fq[x],

n r x −1 qi η = ∑biη ≠ 0 , a(x) i=0

d d−1 where n = de, and b(x) = bdx + bd−1x + ⋅⋅⋅ + b1x + b0.

The simplest case involves the two-factor factorization xn − 1 = (x − 1)f(x), f(x) irreducible in Fq[x]. Under this setting, the system of inequalities in the above theorem has two lines q n (i) Tr(ηi) ≠ 0, and (ii) ηi −ηi ≠ 0 . In other simple cases the polynomial x − 1 has only a few irreducible factors.

Another simple period normal basis test is covered below. This test indirectly verifies all the normality conditions using only integers arithmetic operations.

Theorem 6.6. Suppose r = kn + 1 is a prime, r ∤ q, and d = ordr(q). Then a gaussian period of

type (k, n) is a normal element in Fqn over Fq if and only if gcd(kn/d, n) = 1.

The integer e = kn/d is the index of q modulo r. This stipulates that n be a divisor of the order of q modulo r, so d = ordr(q) ≥ n, and q generates a cyclic subgroup of order #< q > = an, a ≥ 1. A proof of the linear independence, (from the point of view of group theory), appears in [1, Menezes et al., p.101.].

For a given prime r and prime power q, gcd(r, q) = 1, this result provides a fast algorithm for

identifying a normal gaussian period of type (k, n) in an extension Fqn of Fq. A similar result but unconditional and based on the matrix determinant test det(N) ≠ 0 of the regular matrix representation N attached to the subset { η0, η1, ..., ηn−1 } is illustrated here.

Theorem 6.7. Let r = kn + 1 be a prime, and let q be an nth power nonresidue modulo r. Then

the gaussian periods ηi of degree n constitute a normal basis of Fqn over Fq. Proof: Let g be primitive modulo r, and let K = { gjn : 0 ≤ j < k }. Then the n cosets satisfy the inequality qiK ≠ qjK for i ≠ j, 0 ≤ i j < n, ( note that q = gjn+i ). This condition implies the existence of n distinct periods η0, η1, ..., ηn−1 of type (k, n). Further, the matrix N is a symmetric circulant matrix, that is,

q j N = (ηi )= (ηi+ j ).

Since the determinant of a circular matrix is the product of the discrete Fourier transform of the generating vector (η0, η1, ..., ηn−1), the determinant of the circulant matrix N is

n−1 n−1 n−1 st det(N) = ∏∑ηt ξ = ∏G(χs ) ≠ 0 , s=0 t=0 s=0

where ξ is a primitive nth root of unity in Fqkn . In the third term above the inner sum is rephrased s as a gaussian sum G(χs), where the character χs(g) = η . The sum G(χs) has the value G(χ0) = −1, 2 2 n−1 (n−1)/2 and G(χs) = p, for 0 < s < n. Hence det(N) = p , or equivalently det(N) = ±p . This proves the linear independence of the subset of periods. 

The proof of this last result combine ideas from algebraic number theory and linear algebra, see the chapter on Structured Matrices for more material on this.

Observe that this result also provides a fast two steps algorithm for identifying the period normal bases using only integers arithmetics:

( 1 ) Primality testing of kn + 1, and ( 2 ) Determination of the residuacity of q modulo kn + 1.

The nth power nonresidue test is verified with the inequality q(r−1)/n ≢1 mod r.

The existence of the prime kn + 1 is taken up in the following result; reference [Gao et al., p. 318, 1995] is an alternative source.

Theorem 6.8. (Wassermann 1993) Let q = pv, p prime, and n ∈ ℕ. Suppose that both

(1) gcd(v, n) = 1, and (2) 2p ∤n if p ≡ 1 mod 4 or 4p ∤n if p ≡ 2, 3 mod 4. Then assuming the extended Riemann hypothesis, there is an integer k < cn3(log(np))2 such that r = kn + 1 is a prime and gcd(kn/d, n) = 1, where c is a constant independent of v, n, p, and d = ordr(q) is the order of q modulo r.

Example 6.9. Let the integer r = 2n + 1 be a prime and let q = 2 be of order n or 2n modulo 2n + 1, then the type (2, n) periods in the rth cyclotomic field F2(ω) extension of F2 are given by

k−1 2 jn +i 2i −2i ηi = ∑ω = ω + ω , j=0

i = 0, 1, 2, …, n−1. The degree of the extension is [F2(ω) : F2] = n or 2n depending on n = 4c + 3 or n = 4c + 1, (also 4c + 2). This scheme of producing periods works whenever order ordr(q) = 2n, or q generates the nth power residues modulo r. But can fail in other cases, for example, let r = 2n + 1 be prime, and 2 be of order ordr(q) = n modulo r. Since 2 does not generate the nth power residues K = { −1, 1 } modulo r, the previous method for constructing the type (n, 2)

periods in F2(ω) = Fq2n over F2 cannot be used. Instead the periods

x x 2 −2 x 2n−1 −2n−1 η0 = ∑ω = ω + ω, η1 = ∑ω = ω + ω , ..., ηn−1 = ∑ω = ω + ω x∈K0 x∈K1 x∈Kn−1

2 2 are derived directly from the cosets K0 = { −1, 1 }, K1 = { −2, 2 }, K2 = { −2 , 2 }, ..., Kn−1 = { n−1 n−1 − − n 2 , 2 }. The resulting set of periods { η0, η1, ..., ηn 1 } constitutes a normal basis of Fq over −1 F2 of degree n = [ Fqn : F2]. The field F2(ω+ω ) = Fqn is the maximal subfield of F2(ω). The diagram below shows the subgroup/subfield correspondence; the group of automorphisms of i ≤ di ≤ F2(ω) is Gal( Fq2n /F2) = { σ : 0 i < 2n }, and the subgroups are of the form Σd = { σ : 0 i < 2n/d }, d  2n.

F n→ F (ω + ω −1 ) 2→ F (ω) 2 2 2

∑1 ← ∑ n ← ∑ 2n

Example 6.10. The 29th cyclotomic field F2(ω) extension of F2, ω a primitive 29th root of unity. The value of the totient function is ϕ(29) = 22⋅7, so there are intermediate subfields of degree 2, 4, 7 and 14. Each of these subfields has a period normal basis. The generating periods are

13 6 3 22 j +i 24 j +i 27 j +i 2i −2i α i = ∑ω , β i = ∑ω , ηi = ∑ω , θ i = ω + ω , j=0 j=0 j=0

−1 where the index i = 0,1, …. The subfield F2(ω+ω ) is the maximal subfield of F2(ω) of degree −1 14 = [F2(ω+ω ) : F2]. The next subfield in this tower is F2(η) of degree 7 = [F2(η) : F2]. 2 i The map σ(ω) = ω generates the automorphisms group Gal(F2(ω)/F2) = { σ : 0 ≤ i < 28 }of id F2(ω). The subgroups are Σd = { σ : 0 ≤ i < 28/d }, for d = 2, 4, 7, 14.

The subgroups and subfields correspondences are the followings:

2 2i σ (αi) = αi ⇔ the subgroup Σ2 = { σ : 0 < i < 14 } fixes F2(αi),

7 4i σ (βi) = βi ⇔ the subgroup Σ4 = { σ : 0 < i < 7 } fixes F2(βi),

7 7i σ (ηi) = ηi ⇔ the subgroup Σ7 = { σ : 0 < i < 4 } fixes F2(η), and

14 −1 −1 14 σ (ω + ω ) = ω + ω ⇔ the subgroup Σ14 = { 1, σ } fixes the subfield −1 F2(ω+ω ).

Some of the fields and groups diagrams are illustrated below.

7 2 −1 2 F2 → F2 (η) → F2 (ω + ω ) → F2 (ω)

∑1 ← ∑ 7 ← ∑ 2 ← ∑ 28

and

2 2 7 F2 → F2 (α) → F2 (β ) → F2 (ω)

∑1 ← ∑ 2 ← ∑ 4 ← ∑ 28

Other Related Period Normal Bases → Let Fqd be an extension of Fq and a subfield of Fqn , n = de. The relative trace Trn:d : Fqn Fqd is defined by

qd q2d q(e−1)d Trn : d ( α ) = α + α + α +  + α .

Lemma 6.11. (Period projection lemma) Suppose { η0, η1, ..., ηn−1 } is a period normal basis

n ⋅⋅⋅ − of Fq over Fq, and let γi = Trn:d(ηi) = ηi + ηi+d + ηi+2d + ηi+3d + + ηi+n d. Then the subset of

− d elements { γ0, γ1, ..., γd 1 } is a normal basis of Fq over Fq.

Proof: It is easy to verify that the elements γ0, γ1, ..., γd−1 are distinct and conjugates, moreover Trd:1(γi) = η0 + η1 + ⋅⋅⋅ + ηn−1 = −1. To confirm the linear independence of these elements, assume that a0γ0 + a1γ1 + ⋅⋅⋅ + ad−1γd−1 = 0 for some nonzero vector a = (a0,a1,..., ad−1) ≠ (0,0,...,0) and use the fact that { η0, η1, ..., ηn−1 } is a basis to reach a contradiction. 

As a demonstration of the period projection lemma, let r = 2n +1 be a prime, let the integer q be ≠ ∈ r of order 2n modulo r, and 1 ω Fqn but ω = 1, r minimal. Then the followings hold.

(1) The element ω generates a period normal basis of Fq2n over Fq. −1 n (2) The relative trace Tr2n:n(ω) = ω + ω (since q ≡ −1 mod r) of the element ω generates a −1 period normal basis of Fqn over Fq. Here 2 = [ Fq(ω) : Fq(ω+ω ) ], and the relative trace Tr2n:n :

→ Fq2n Fqn .

6.3 Polynomial Representations of Periods

The normal elements in finite fields are represented in the multiplicative group of the n polynomials algebra Fq[x]/(x − 1) as invertible polynomials.

α ∈ Definition 6.12. The polynomial representation of an element Fqn is defined by n−1 1+qi i cα (x) = ∑Tr(α ) x . i=0

The significance of this correspondence is that the inverses of the polynomial representations of normal elements generate dual normal elements. The same map is also utilized to produce cyclic codes in this algebra.

∈ κ → n − More generally, for a fixed element ξ Fqn , the function : Fqn Fq[x]/(x 1) defined by

n-1 qi α → κ( α ) = ∑Tr( α ξ ) xi i=0

establishes a similar correspondence between elements and polynomial representations or n- tuples. The latter map is also used to reproduce the coefficients vectors (Tr(αξn−1), ..., ∈ Tr(αξ1)Tr(αξ0)), α Fqn of the code words of cyclic codes.

Lemma 6.13. If the element η0 is normal over Fq, then the map

n−1 n−2 η0 → c(x) = Tr(η0ηn−1)x + Tr(η0ηn−2)x + ⋅⋅⋅ + Tr(η0η1)x + Tr(η0η0)

n is into and sn-to-one, s ≥ 1. Moreover, c(x) is invertible in Fq[x]/(x − 1).

The representations of arbitrary normal elements are not necessarily easy to determine, but the representations of period normal elements are not difficult to determined.

Lemma 6.14. Let r = kn + 1 be prime, and suppose that r ≡ 1 mod 2n. Then ( 1 ) The polynomial representation of the period η0 of type (k, n) and its inverse are given by

c(x) = −k(xn−1 + xn−2 + ⋅⋅⋅ + x) + (n − 1)k + 1, and

k  k +1 c−1 (x) =  xn−1+ xn−1++x+  . kn +1 k 

( 2 ) If q  k, then the representations of all the periods are mapped to c(x) = 1, viz,

{ η0, η1, …, ηn−1 } → c(x) = 1.

n−1 n−2 Proof: ( 1 ) Let c(x) = cn−1x + cn−2x + ⋅⋅⋅ + c1x + c0 be the polynomial representation of ∈ normal element η0 Fqn over Fq. Then the ith coefficient ci of c(x) is given by

 n−1  kn − ∑(i, j) if −1 ∈ K i ,  n−1   j=0 η η  ε η  Tr( 0 i ) = Tr k i + ∑(i, j) j  =   j=0   n−1  − ∑( i, j) if −1 ∉ K i .  j=0

The evaluation of ci = Tr(η0ηi) utilizes the linear expansion of the pairwise products η0ηj, see the chapter on Periods. The linearity of the trace function, and Tr(ηi) = −1. Moreover, applying the properties of the cyclotomic numbers (i, j), this becomes

k(n −1) if −1∈ K i , ci = Tr(η0ηi ) =  − k if −1∉ K i .

By hypothesis r ≡ 1 mod 2n, so it follows that −1 ∈ K0, so the coefficients for the representation c(x) of η0 are: c0 = Tr(η0η0) = (n − 1)k + 1, and ci = Tr(η0ηi) = −k, 0 < i < n. To verify that the given polynomials are inverses, compute c(x)c−1(x) mod (xn − 1). 

The constraint −1 ∈ K0 holds whenever −1 is an nth power residue modulo r, or equivalently if and only if the equation xn = −1 is solvable modulo r. This equation is always solvable if the parameter n in r = kn + 1 is odd or r ≡ 1 mod 2n. . For the case −1 ∈ Kj for some j ≠ 0, cj = Tr(η0η0) = (n − 1)k + 1, and ci = Tr(η0ηi) = −k for all i ≠ j.

It also should be observed that these representations of the periods work whether or not the

periods form normal bases of the finite field Fqn over Fq.

Example 6.15. ( 1 ) For r = 2k + 1 prime, k even, the polynomial representation of the quadratic period η0 and its inverse are given by

k k+1 c(x)= − kx+k +1 and c(x) −1 = x+ . 2k+1 2k+1

And for k odd, the polynomial representation its inverse are given by

k+1 k c(x) = (k +1)x − k and c(x) −1 = x + . 2k+1 2k+1

( 2 ) For r = 3k + 1, k even only, the polynomial representation of the cubic period η0 its inverse are given by

2 2 −1 k(x + x) k+1 c(x) = − k(x + x)+2k +1 and c(x ) = + . 3k+1 3k+1

( 3 ) For r = 4k + 1, k even, the polynomial representation of the quartic period is

c(x) = − k(x3+ x2+x) +3k+1

and its inverse is

3 2 −1 k(x + x +x) k+1 c(x) = + . 4k+1 4k+1

3 2 And for r = 4k + 1, k odd, c(x) = c3 x +c2 x +c1 x − k , where ci = k(n − 1) if −1 ∈ Ki, otherwise ci = −k.

6.4 Dual Period Normal Bases

This section considers a general method of determining dual bases of period normal bases, and continues to the self-dual periods normal bases. The general construction of period dual normal bases uses the inverses of the polynomial representations of the period η0 in the polynomials n algebra Fq[x]/(x − 1)

Lemma 6.16. (Gao, von zur Gathen, Penario 1995) Let −1 ∈ Kr, 0 ≤ r < n − 1, and let δ = (η−r − k)/(kn + 1). Then

q q2 qn−1 δ 0 = δ , δ 1 = δ , δ 2 = δ ..., δ n−1 = δ

is the dual basis of η0, η1, ..., ηn−1.

Proof: Compute the dual bases relation Tr(δiηj), specifically

qi−r   − i j η − k j 1 i r j j Tr q ηq = Tr ηq  = Tr ηq η q − k Tr η q (δ )   [ ( ) ( )]  kn + 1  kn + 1 1 i−r j = [ Tr(η q η q ) + k ] kn + 1

since the trace Tr(ηi) = −1. Now replace the linear expansion of the pairwise terms ηiηj in

Tr(ηiηj), use the linearity of the trace function, and Tr(x) = nx for x ∈ Fq, to obtain (for k even)

 n−1  kn − ∑( j − i+ r, d) if −1∈ K j− i + r , n−1 d=0 j −i+r  d   q  q  Tr(ηη ) = Trkε i + ∑( j − i+ r, d)η  =   d=0   n−1  − ∑( j − i+ r, d) if −1∉ K j− i + r .  d=0

Using properties of the cyclotomic numbers (i, j), this reduces to

 k(n − 1)+1 if −1 ∈ , j − i + r i−r j  K j−i+r Tr( η ηq )= Tr(ηq ηq ) =   − k if −1 ∉ K j−i+r .

Since k even mean r = 0, substituting this into the last equation returns

= i j  1 if i j , Tr( δ q ηq ) =   0 if i ≠ j .

This complete the verification of the dual bases equation Tr(δiηj) = δi,j. 

Recall that a self-dual normal basis of Fqn over Fq exists if and only if one of the following conditions holds.

( 1 ) n = 2c + 1 and q = pv or ( 2 ) n ≠ 4c and q = 2v.

Lemma 6.17. (Gao, von zur Gathen, Penario 1995) Let n > 2. A normal basis { η0, η1, ..., ηn−1

} of Fqn over Fq consisting of the type (k, n) periods is a self-dual basis if and only if one of the following conditions are met.

v ( 1 ) n ≢0 mod 4, q = 2 , and k is even. v ( 2 ) n ≢0 mod 2, q = p , p > 2 prime, and k is even, and divisible by p.

Proof: (The original proof is not complete) The condition on the degree n of the extension is ⇒ required for the existence of self-dual normal bases of Fqn over Fq. The condition k is even

−1 ∈ K0, i.e., −1 is an nth power residue in Fr, r = kn + 1, so that δ = (η0 − k)/(kn + 1). The divisibility condition p  k is precisely the constraint needed to force the dual element to δ = (ηr − k)/(kn + 1) = (η0 − k)/(kn + 1) = η0 = η. 

In the first case, the condition k = even is sufficient to yield a self-dual period normal basis in

characteristic 2, the divisibility statement is already met.

The 2-term periods normal bases are the easiest to manage in calculations, and quite often these are self-dual period normal bases.

Lemma 6.18. Let r = 2n + 1 be a prime, and suppose that { η0, η1, ..., ηn−1 } is a period normal

basis of Fqn over Fq. Then the type (2, n) periods constitute a self-dual basis if and only if conditions (1) or (2) are satisfied.

v ( 1 ) n ≠ 4c, and q = 2 has order ordr(q) = n or 2n modulo r v v ( 2 ) n = 2c + 1, and q = p has order ordr(q) = 2n modulo r q = p , p > 2 prime.

Proof: ( 1 ) The parameters n ≠ 4c, q = 2v signal the possibility of a self-dual normal basis. Since q has order n or 2n modulo r = 2n + 1, the n periods

−1 q −q q2 −q2 qn−2 −qn−2 η0 = ω + ω , η1 = ω + ω , η2 = ω + ω , ..., ηn−1 = ω + ω

form a normal basis of Fqn over Fq. To verify the dual property, consider

qi −qi q j −q j qa −qa qb −qb ηiη j = (ω + ω )(ω + ω ) = (ω + ω )+ (ω + ω ).

i j a i j b Now q + q = q , and q − q = q in Zr, 0 ≤ a, b < r, whenever q generates the subset of quadratic residues, confer [1, Mullin et al.]. Combine these to obtain

1 if i = j Tr(ηiη j ) =  0 if i ≠ j

as claimed. 

Example 6.19. Generators of self-dual period normal bases of F2n over F2, for 1 < n < 11. ⋅ ω ω−1 ≠ ω ∈ ω5 n = 2, r = 2 2 + 1 = 5, η0 = + , where 1 F24 and = 1.

⋅ ω ω−1 ≠ ω ∈ ω7 n = 3, r = 2 3 + 1 = 7, η0 = + , where 1 F26 and = 1. n = 4, none.

⋅ ω ω−1 ≠ ω ∈ ω11 n = 5, r = 2 5 + 1 = 11, η0 = + , where 1 F210 and = 1.

⋅ ω ω−1 ≠ ω ∈ ω13 n = 6, r = 2 6 + 1 = 13, η0 = + , where 1 F212 and = 1.

7 14 21 ⋅ ω + ω 2 + ω 2 + ω 2 ≠ ω ∈ ω29 n = 7, r = 4 7 + 1 = 29, η0 = , where 1 F228 and = 1.

10 20 30 ⋅ ω + ω 2 + ω 2 + ω 2 ≠ ω ∈ ω41 n = 10, r = 4 10 + 1 = 41, η0 = , where 1 F240 and = 1.

CHAPTER 7

Period Normal Bases For Extensions of Low Degrees

Quadratic and Cubic Period Normal Bases

7.1 Quadratic Extensions

Several results concerning period normal bases for extensions of low degrees will be considered here. The existence results for extensions of low degree are quite often easy to verify and are subject to a variety of techniques not applicable to the general cases. The simplest period normal bases are those for quadratic, cubic, and quartic extensions of Fq.

σ The group of automorphisms of the quadratic extension Fq2 of Fq is the set Gal( Fq2 /Fq) = { 1, } σ → q of linear maps : Fq2 Fq. The nontrivial automorphism is defined by σ(x) = x . Sometimes is convenient to use the conjugation form σ(a+bθ) = a − bθ, where a, b ∈ Fq, and some θ ∉ Fq.

Lemma 1. Let p = 2k + 1 be a fixed prime, and suppose that q is a nonquadratic residue modulo

p, this requires q ≢ 1 mod p. Then the pair { η0, η1 } is a period normal basis of the quadratic extension Fq2 over Fq .

≠ ≠ v Proof: Let ω 1 be a pth root of unity in some extension Fqd of Fq, q 2 , let g be a generator of 2a+1 the multiplicative group of Fp, and write q = g . Then

p−1 p−1 x 1 i2πx2 / p x 1 i2πgx2 / p η0 = ∑ω = ∑e , η1 = ∑ω = ∑e , x∈K0 2 x=1 x∈K1 2 x=1

2 4 p−3 2 4 p−3 where K0 = { 1, g , g , ..., g } and K1 = { q, qg , qg , ..., qg }. Since q ≢ 1 mod p, the q element ω is not in Fq. Similarly η0, η1 ∉ Fq, this follows from ηi ≠ ηi .The linear independence follows from the matrix determinant test for basis. Specifically, using the identity η0 + η1 = −1, this is

 η0 η1  det   = η1 − η0 ≠ 0 .  η1 η0 

 Thus the set { η0, η1 } constitutes a normal basis of Fq2 over Fq.

Lemma 2. Let p be a prime and let q ≠ 2v a prime power. Then the quadratic periods

−1 + ( −1)(p−1)/4 p −1 − ( −1)(p−1)/4 p η = , η = 0 2 1 2

− (p−1)/2 − form a basis of Fq2 over Fq if and only if the quadratic symbol (( 1) p | q ) = 1.

2 Proof: Compute the discriminant and the roots of the period polynomial ψp(x) = x + x + (1 − (−1)(p−1)/2p)/4. 

Remark: If the gcd(n, q) ≠ 1, the identity

p−1 x 1 i2πxn / p ηs = ∑ω = ∑e , x∈Ks n x=1

s = 0, 1, … n − 1, is not defined in characteristic char(Fq), so it cannot be used in calculations. However, the periods can still exist, in fact this is often the case for the quadratic periods in characteristic char(Fq) = 2.

From Lemmas 1 and 2 it is clear that quadratic periods are of the form a + bθ, with a, b ∈ Fq, but θ ∉ Fq. It is also clear that there is a close link between the existence of quadratic period normal bases and the reciduacity of the integers p and q. The reciprocity law

 p   q  ( p−1)(q−1) / 4     = (−1)  q   p 

is one of the main tools used for determining the existence of various types of quadratic period normal bases.

Theorem 3. A pair of primes p and q determines a period normal basis of Fq2 over Fq if and only if either ((−1)(p−1)/2p | q ) = −1 or ( q | p ) = −1 holds.

Proof: Easy. 

∈ − d ∈ d ∉ The suborder of an element α Fq2 Fq is the smallest integer d such that α Fq. The test α

Fq for all proper divisors d of q + 1 implies a suborder of subord(α) = q + 1.

2 Lemma 4. The period normal basis { η0, η1 } is a primitive normal basis of Fq over Fq if and (p−1)/2 d only if the integer (1 − (−1) p)/4 is a primitive root modulo q, and ηi ∉ Fq for all d  q + 1. 2 (p−1)/2 Proof: The period polynomial ψp(x) = x + x + (1 − (−1) p)/4 is a primitive polynomial in 2 (p−1)/2 Fq[x] if and only if the norm N(η0) = (−1) ψp(0) = (1 − (−1) p)/4 is a primitive root modulo q, and the element η0 has suborder of subord(η0) = q + 1. 

7.2 Dual Period Normal Bases of Quadratic Extensions

Let a(x) = a1x + a0 = kx + (1 − k), where ai = Tr(η0ηi), and b(x) = b1x + b0. The polynomial a(x)

2 is the representation of the normal element η0 in the polynomials algebra Fq[x]/(x − 1), and b(x) is the inverse of a(x), it est, a(x)b(x) ≡ 1 mod (x2 − 1).

2 Lemma 5. If the pair { η0, η1 } is a period normal basis of Fq over Fq, then

k +1 k k k +1 δ = η + η , δ = η + η 0 2k +1 0 2k +1 1 1 2k +1 0 2k +1 1

k k +1 k +1 k δ = η + η , δ = η + η 0 2k +1 0 2k +1 1 1 2k +1 0 2k +1 1

is the dual basis depending on p = 2k + 1 = 4m +1 or 4m + 3.

Proof: Find the coefficients of b(x), and compute b(x)◦η0 = b0η0 + b1η1. 

The self-dual normal basis theorem rules out the existence of self-dual normal bases for quadratic extensions, (more generally n = even). The result below gives a different way of confirming this for quadratic period normal bases. By definition a basis { η0, ηi } is a self-dual basis if and only if the trace matrix

Tr(η0η0 ) Tr(η0η1 ) 1 0 (Tr(ηiη j )) =   =   . Tr(η1η0 ) Tr(η1η1 ) 0 1

Lemma 6.. (1) There are no self-dual period normal basis of any quadratic extension Fq2 of Fq for all odd prime q > 2. v (2) Let q = 2 . Then the quadratic extension Fq2 of Fq has a self-dual period normal basis if and only if k ≡ 2 mod 4, and v is odd.

Proof: ( 1 ) Let p = 2k + 1, k even. The basis { η0, η1 } is a self-dual basis if and only if

Tr(η0η0) = Tr(η1η1) = 1 and Tr(η0η1) = Tr(η1η0) = 0.

But Tr(η0η0) = Tr((0,0)η0+(0,1)η1+k) = − (0,0) − (0,1) + 2k = k + 1, and Tr(η1η1) = Tr(η0η0) = k + 1. Likewise, Tr(η0η1) = Tr(η1η0) = −k. These imply that the integer k must be divisible by the characteristic of Fq, or equivalently k = 2qc, c ≥ 1. Put p = 2k + 1 = 4cq + 1. Then

 p   q   1   q   q  ( p−1)(q−1) / 4     =     =   = (−1) = 1 .  q   p   q   p   p 

This immediately precludes the existence of quadratic period normal bases since

η0 = (−1 + p) / 2, η1 = (−1 − p) / 2 ∈ Fq. The case of k odd is similar to this. v ( 2 ) If p ≠ 8a + 1 and q = 2 , v is odd, then q is not a quadratic residue modulo p, so η0, η1 ∉ Fq and Tr(η1η1) = Tr(η0η0) = k + 1 = 1. 

7.3 Multiplications in Quadratic Extensions

The linear expansions of the pairwise products ηiηj of the periods will be employed to generate the multiplication table T = [ T0 T1 ] for multiplication in a quadratic extension Fq2 of Fq with

respect to the period normal basis { η0, η1 }. The 2×2 submatrices Ti = ( ti,j,k ) are nonsingular and Ti coincides with the change of basis matrix for ηj → ηiηj. In the quadratic case, the submatrix T1 is equal to a row permutation of T0.

The pairwise products ηiηj of the quadratic periods are:

   η η =  ω x  ω y  = η + η + δ 0 0  ∑  ∑  (0,0) 0 (0,1) 1 k i ,  x∈K0  y∈K0 

   η η =  ω x  ω y  = η + η + δ 0 1  ∑  ∑  (1,0) 0 (1,1) 1 k i  x∈K0  y∈K1 

2 where K0 = { x : 0 ≠ x ∈ Fq }, K1 = qK0, and δi = 1 if −1 ∈ Ki, otherwise δi = 0. And the other combination is η1η1 = σ(η0η0) = (0, 1)η0 + (0, 0)η1. Here the action of the nontrivial

automorphism of Fq2 over Fq is defined by σ(η0) = η1 and σ(η1) = η0.

The cyclotomic numbers (i, j) which appear in the linear expansions of ηiηj are:

(1) (0, 1) = (1, 0) = (1, 1) = k/2, and (0, 0) = (k − 2)/2, if k is even, or (2) (0, 1) = (1, 0) = (1, 1) = (k + 1)/2, and (0, 0) = (k − 1)/2, if k is odd.

Accordingly, depending on the parameter k, there are two cases.

Case of −1 ∈ K or k is even. The linear expansions of the pairwise products of the periods are:

k − 2 k k + 2 k η0η0 = (0, 0)η0 + (0,1)η1 + k = η0 + η1 + k = − η0 − η1, 2 2 2 2 k k η η = (1, 0)η + (1, 1)η = η + η . 0 1 0 1 2 0 2 1

Case of −1 ∉ K and k is odd. The linear expansions of the pairwise products of the periods are:

k − 1 k + 1 (1) η0 η0 = ( 0 , 0 ) η0 + ( 0 , 1 ) η1 = η0 + η1 , 2 2 k + 1 k + 1 (2) η η = ( 1 , 0 ) η + ( 1 , 1 ) η + k = − η − η . 0 1 0 1 2 0 2 1

Lemma 7. The matrix T0 is given by either

 k − 1 k + 1  − k − 2 − k       2 2  = 2 2 or = T 0  k k  T0      k + 1 k + 1   2 2  − −  2 2  for k even or odd respectively.

Proof: The entries in T0 = ( ti,j ) are the coefficients in linear expansions η0ηi = ti,jη0 + ti,jη1. 

Another simple and direct method of deducing this table is to calculate η0η0 = t0,j η0 + t0,jη1, and

η0η1 = t1,j η0 + t1,jη1 in the field of complex numbers ℂ, which also yields the cyclotomic numbers (i, j).

Lemma 8. Let { η0, η1 } be a period normal basis of Fq2 over Fq, and let x = x0η0 + x1η1 and y = ∈ y0η0 + y1η1, xi, yi Fq. Then the product xy in Fq2 is given by either

x y = ( x0 η0 + x1 η1 )( y0 η0 + y1 η1 )  − k − 2 k k  =  x0 y + ( x0 y + x1 y ) − x1 y  η  2 0 2 1 0 2 1  0  − k k − k − 2  +  x0 y + ( x0 y + x1 y ) + x1 y  η ,  2 0 2 1 0 2 1  1 if k is even; or if k is odd the product is given by

x y = ( x0 η0 + x1 η1 )( y0 η0 + y1 η1 )  k − 1 k +1 k +1  =  x0 y − (x0 y + x1 y ) + x1 y η  2 0 2 1 0 2 1  0  k +1 k +1 k −1  +  x0 y − (x0 y + x1 y ) + x1 y η .  2 0 2 1 0 2 1 1

Let the weight of the matrix Ti be defined by w(Ti) = #{ ti,j,k ≠ 0 }. An optimal normal basis has a

complexity of C = w(Ti) = 2n − 1. All optimal normal bases are generated by normal period, confer [1, Mullin].

The optimal normal basis theorem claims the existence of an optimal normal basis of Fqn over Fq

of degree n = [ Fqn : Fq], for the following parameters.

(1) The integer n + 1 is prime and q has order n modulo n + 1. (2) The integer 2n + 1 is prime and q = 2 has order n or 2n modulo 2n + 1.

Case (1) above only includes only even n, for example, quadratic extension Fq2 of Fq for which q ≡ 2 mod 3, but not q ≡ 1 mod 3. Here is a proof for case (1) with n = 2. There is no claim about the optimal normal basis of Fq2 of Fq in characteristic char(Fq) = 3. The quadratic extension Fq2 of q Fq, q ≡ 2 mod 3, has the normal basis { η, η }, where η is a root of the period polynomial Ψp(x) 2 (p−1)/4 2 = x + x + (1 − (−1) p)/4, for example Ψ3(x) = x + x + 1.

Theorem 9. Let q be a quadratic nonresidue modulo p. Then

( 1 ) The quadratic extension Fq2 of Fq has an optimal normal basis for all odd primes q = 3m + 2. v ( 2 ) If q = 3 , then the quadratic extension Fq2 of Fq has an optimal normal basis if either v = odd and p ≡ 1, 5 mod 12, or v = even and p ≡ 7, 11 mod 12.

≠ v Proof: ( 1 ) Let q 3 . First of all a quadratic extension Fq2 of Fq has a period normal basis if and only if q is a quadratic nonresidue modulo p, so the quadratic symbol ( q | p ) = −1. Second a normal basis is an optimal normal basis if and only if the submatrix T0 of the multiplication table − T = [ T0 T1 ] of Fq2 over Fq has the discrete weight w(T0) = 2n 1 = 3. By inspection it is easy to find that the submatrix

 k − 1 k + 1  − k − 2 − k       0 −1   2 2   0 1  = 2 2 = or = = T0  k k    T0        1 1   k + 1 k + 1   −1 −1   2 2  − −  2 2 

has a complexity of w(T0) = 3 if and only if k = 2(cq − 1) or 2cq + 1. This requires primes of the form p = 2k + 1 = 4cq − 3 or 4cq + 3. Furthermore, the reciprocity law, gives

 p   q   − 3 (p−1)(q−1)/4     =   (−1) = (−1 ) = 1  q   p   q 

for even k = 2(cq − 1), which implies that q = 12a + 5 or 12a + 11 (since ( −3 | q ) = −1), or

 p   q   3  (p− 1)(q − 1)/4 (q − 1)/2     =   (− 1 )= ( −1 ) = ( −1 )  q   p   q 

for odd k = 2cq + 1, which implies that q = 12a + 5 or 12a + 11 (since ( 3 | q ) = −1). The case of q = 3c + 1 fails because ( ±3 | q ) = 1. The proof for q = 3v uses the same technique. 

Note: Use the relation

 3  −1 if q ≡ ±5 mod 12   =   q  1 if q ≡ ±1 mod 12

to evaluate the previous quadratic symbols equations, and determine the forms of the prime q.

For instance, in characteristic q = 3, 5, 11, 17, 23, ..., the sequence

2 2 2 2 2 F3 , F52, F11 , F17 , F23 , F29 , ...

of quadratic extensions have optimal normal bases over Fq.

An optimal normal basis multiplier requires n(2n − 1) multiplications (AND cells if Fq = F2). For example, the quadratic multiplier uses 6 multiplication cells. The maximal number of 3 multiplications in Fq needed to compute the product xy in Fq2 is n = 8. But a proper selection of the integer k in the prime kn +1 = 2k + 1 can reduce this number to the minimal n(2n − 1) = 6. And regrouping of the terms involving the product η0η1 and η1η0 further reduces it to 4.

Example 10. Construct a normal basis of the quadratic extension F9 of F3 of low complexity.

Solution: Select a prime p = 2k + 1 which reduces the weight of the matrix T0. This in turn reduces the numbers of terms xiyj in the product to a minimal. The primes p = 2k + 1 = 3c + 2 are suitable because q is a quadratic nonresidue modulo p, and there exits a period normal basis η = − η = − − ∈ − 0 ( 1 + p) / 2, 1 ( 1 p) / 2 Fq2 of complexity 2n 1 = 3. Thus to compute the product, (using 2⋅8 + 1 = 17, with k = 8), xy = (x0y1 + x1y0 − x1y1)η0 + (−x0y0 + x0y1 + x1y0)η1 = [x0y1 + x1(y0 − y1)]η0 + [x1y0 − x0(y0 − y1)]η1,

xy in F9, a total of n(2n − 1) = 6 multiplications in F3 are needed. But in practice this is simpler since xi, yj ∈ F3, and regrouping the terms reduces it to only four multiplications. Note that the 2 period polynomial Ψ17(x) = x + x − 1 ∈ F3[x] is irreducible.

7.4 Criteria For Cubic Nonresidues

The partition of the primes p = 3k + 1 is used throughout this section. These primes factor as p = 2 2 (a + bω)(a − bω) in the quadratic domain ℤ[ω], where ω + ω + 1 = 0. Note that p = 3k + 1 = a − ab + b2. In addition there is a pair of unique integers A and B such that 4p = A2 + 27B2.

Information about the cubic reciduacity of the primes q modulo p is essential in the construction of cubic period bases. A few criteria for selecting pair of primes p, q which are parameters of cubic period normal bases are given here. These criteria are of general interest in various area of mathematics. Theorem 11. Let p = 3k + 1 be a prime, and 4p = A2 + 27B2, A ≡ 1 mod 3. Then

A + 9B ( 1 ) 2( p−1) / 3 ≡ mod p , if A ≡ B mod 4. A − 9B A + 9B ( 2 ) 3( p−1) / 3 ≡ mod p , if B ≡ −1 mod 3. A − 9B

Proof: See [1, Williams 1975.]. 

Theorem 12. Let p = 3k + 1, and 4p = A2 + 27B2, A ≡ 1 mod 3. Then

( 1 ) q = 2 is a cubic residue modulo p if and only if 2  A. ( 2 ) q = 3 is a cubic residue modulo p if and only if 9  3B. ( 3 ) q = 5 is a cubic residue modulo p if and only if 5  A and 5  3B. ( 4 ) q = 7 is a cubic residue modulo p if and only if 7  A and 7  3B.

Proof: Confer [1, Berndt et al, pp. 213-215.]. 

These last results are useful tools in the implementation of search algorithms for sequences of primes for which q = 2, 3, 5, and 7 are cubic nonresidues.

Example 13. ( 1 ) The integer q = 2 is a cubic nonresidue for all primes for all primes p = 3k + 1 for which 4p = (6a + 1)2 + 27(6b + 1)2 , a, b ≥ 1. For instance, p = 7, 19, ….

( 2 ) The integer q = 5 is a cubic nonresidue for all primes p = 3k + 1 for which 4p = (30a + 1)2 + 27(30b + 1)2 , a, b ≥ 1, et cetera..

Theorem 14. Let 4p = A2 + 27B2, A ≡ 1 mod 3, and let q ≠ 2, 3, p so that q ≡ ± 1 mod 6. Then q is a cubic nonresidue modulo p if and only if

(q−ε ) / 6  +     A iB 3  p   ≠   mod q  A − iB 3   q 

where ε = ±1, and q ≡ ε mod 6.

For a fixed q ≠ 2, 3, p, the congruence parametizes a sequence of primes p, (or for a fixed p, the congruence parametizes a sequence of primes q ≠ 2, 3, p). In turns, this realizes a search algorithm for the primes p such that q is a cubic nonresidue modulo p. For example, let q = 7, then any prime p = 3k + 1 > 7 which satisfies the congruence

A + 2B  p ≠   mod7 , A − 2B 7  is a cubic nonresidue modulo p.

7.5 Period Normal Bases of Cubic Extensions

The next simple period normal bases are those for cubic extensions Fq3 of Fq. The group of σ σ2 automorphisms of the cubic extension Fq3 of Fq is the set Gal( Fq3 /Fq) = { 1, , } of linear → q maps σ : Fq3 Fq. The nontrivial automorphism is defined by σ(x) = x .

Theorem 15. Let p = 3k + 1 be a prime, and 4p = A2 + 27B2, A ≡ 1 mod 3, and let ω be a cube root of unity. Then the three conjugates of

1/ 3 1/ 3 1/ 3   −1 p  A + iB 3   A − iB 3  η = + ω  + ω 2    i 3 3   2   2        

form the set of cubic periods.

3 Proof: Determine the three roots g0, g1, and g2 of the reduced period polynomial Θp(x) = x − 3px − Ap, and use the linear relation

−1+ g η = i . i 3

The permutation π(0) = i, π(1) = j, and π(2) = k of { 0, 1, 2 } which identifies the index of the three periods ηi, ηj, ηk is unknown. 

Theorem 16. Let p = 3k + 1 be a fixed prime, 4p = A2 + 27B2, A ≡ 1 mod 3, and let q ≠ 3v be a cubic nonresidue modulo p, this requires q ≢ 1 mod p. Then

(1) The triple { η0, η1, η2 } is a period normal basis of the cubic extension Fq3 over Fq. d (2) If the integer [p(A + 3) − 1]/27 is a primitive root modulo q, and ηi ∉ Fq for all divisors d of 2 q + q + 1 then { η0, η1, η2 } is a primitive period normal basis of Fq3 over Fq.

≠ Proof: (1) Let ω 1 be a pth root of unity in some extension Fqd of Fq, let g be a generator of the 3a+1 multiplicative group of Fp, and write q = g . Then

p−1 p−1 p−1 x 1 i2πx3 / p x 1 i2πgx3 / p x 1 i2πg 2 x3 / p η0 = ∑ω = ∑e , η1 = ∑ω = ∑e , η2 = ∑ω = ∑e x∈K0 3 x=1 x∈K1 3 x=1 x∈K1 3 x=1

3 6 3(k−1) 3 6 3(k−1) 2 2 3 2 6 where K0 = { 1, g , g , ..., g }, K1 = { q, qg , qg , ..., qg }, and K2 = { q , q g , q g , ..., 2 3(k−1) q g }. Since q ≢ 1 mod p, the element ω is not in Fq, and similarly η0, η1, η2 ∉ Fq. Moreover q is a noncubic residue the triple are conjugates and their traces are Tr(ηi) = η0 + η1 + η2 = −1. To confirm the linear independence, the matrix determinant test requires that

 η0 η1 η 2    det  η η η  = 3 η η η − ( η3 + η3 + η3 ) ≠ 0 .  1 2 0  0 1 2 0 1 2    η2 η0 η1 

p −1 p(A + 3) −1 From the coefficients of the cubic period polynomial (x) = x3 + x 2 − x − it p 9 27 readily follows that

p(A + 3) −1 p(A − 6) −1 η η η = , and η 3 +η 3 +η 3 = . 0 1 2 27 0 1 2 9

Thus det(N) = p, and the set { η0, η1, η2 } is a basis of Fq3 over Fq. 3 (2) The polynomial ψp(x) ∈ Fq[x] is primitive if and only if the integer N(ηi) = (−1) ψp(0) = [p(A + 3) − 1]/27 is a primitive root modulo q, ( N(ηi) is the norm of ηi ), and the element ηi is of suborder q2 + q + 1. 

Example 17. (1 ) The cubic periods { η0, η1, η2 } is a basis of F23 over F2 for all primes p = 3k + 1, such that 4p = (6a+1)2 + 27(6b+1)2, A = 6a + 1 ≡ 1 mod 3, since the period polynomial is 3 2 ψp(x) = x + x − 1 ∈ F2[x] is irreducible. −1 7 ( 2 ) Let p = 7, A = 1, and η0, = ω + ω , ω ≠ 1, (note K0 = { −1, 1 } is the set of cubic residues

in F7). The periods form a basis of Fq3 over Fq for all q ≢ 2, 3 mod 7 not a cubic residue. For 3 2 −1 these q, the period polynomial ψp(x) = x + x − 2⋅3 x − 1 ∈ Fq[x] is irreducible.

7.6 Dual Period Normal Bases of Cubic Extensions

2 2 2 Let a(x) = a2x + a1x + a0,= −k(x + x) + 2k + 1, and b(x) = b2x + b1x + b0, where ai = Tr(η0ηi), 3 and a(x)b(x) ≡ 1 mod x − 1. If the pair of elements { η0, η1, η2 } is a normal basis of Fq(η0) over Fq, then the linear combination

b0η0 + b1η1 + b2η2

is the dual element of η0. For the cubic period of type (k, 3), 3k + 1 prime.

Lemma 18. Let p = 3k + 1, and suppose that { η0, η1, η2 } is a the period normal basis of a cubic

extension Fq3 over Fq. Then

k 2k +1 k 2k + 1 k 2k + 1 δ 0 = ( η + η ) + η , δ 1 = ( η + η ) + η , δ 2 = ( η + η ) + η p 2 1 p 0 p 0 2 p 1 p 0 1 p 2

is the dual basis. Moreover if either q = 2v, or k = aq, then this is a self-dual basis.

Proof: Direct calculations. 

Lemma 19. Every cubic extension Fq3 of Fq has a self-dual period normal basis.

Proof: The self-dual basis the trace matrix equation is

Tr(η0η0 ) Tr(η0η1 ) Tr(η0η2 ) 3k + 1 − k − k  η η =  η η η η η η  =  − + −  (Tr( i j )) Tr( 1 0 ) Tr( 1 1 ) Tr( 1 2 )  k 3k 1 k  . Tr(η2η0 ) Tr(η2η1 ) Tr(η2η2   − k − k 3k + 1

Now take k = 2qc, c ≥ 1 and select a prime p = 6qc + 1 such that q is a cubic nonresidue modulo p. 

7.7 Multiplications in Cubic Extensions

→ The action of the generator of the group of automorphisms σ : Fq3 Fq is defined by σ(η0) = η1,

σ(η1) = η2, and σ(η2) = η0. This is utilized to determine all the products ηiηj and to complete the multiplication table for cubic extensions.

The relevant pairwise products for this case are:

   η η =  ω x  ω y  = η + η + η + ( 1 ) 0 0  ∑  ∑  (0,0) 0 (0,1) 1 (0,1) 2 k ,  x∈K0  y∈K0 

   η η =  ω x  ω y  = η + η + η ( 2 ) 0 1  ∑  ∑  (1,0) 0 (1,1) 1 (1,1) 2 ,  x∈K0  y∈K1 

   η η =  ω x  ω y  = η + η + η ( 3 ) 0 2  ∑  ∑  (2,0) 0 (2,1) 1 (2,1) 2 ,  x∈K0  y∈K2 

where K0, K1, and K2 are the cosets of cubic residues and nonresidues in Fp. The other pairwise products are computed via the automorphism:

η1η1 = σ(η0η0) = (0, 2)η0 + (0, 0)η1 + (0, 1)η2,

η1η2 = σ(η0η1) = (1, 2)η0 + (1, 0)η1 + (1, 1)η2, and

η2η2 = σ(η1η1) = (0, 1)η0 + (0, 2)η1 + (0, 0)η2.

For the prime p = 3k + 1, 4p = A2 + 27B2, A ≡ 1 mod 3, 3B ≡ (g(p−1)/3 − g2(p−1)/3) mod 3, and g primitive modulo p, the cyclotomic numbers (i, j) which appear in the linear expansions are

(1) (0, 0) = (p − 8 + A)/9

(2) (0, 1) = (1, 0) = (2, 2) = (2p − 4 − A + 9B)/18,

(3) (0, 2) = (2, 0) = (1, 1) = (2p − 4 − A − 9B)/18, and

(4) (1, 2) = (2, 1) = (p + 1 + A)/9.

The expressions for the products of the periods are

A − 2p − 5 2 − 4p − A + 9B 2 − 4p − A − 9B ( 1 ) η η = η + η + η , 0 0 9 0 18 1 18 2

2 p − 4 − A + 9B 2 p − 4 − A − 9B p +1+ A ( 2 ) η η = η + η + η , 0 1 18 0 18 1 9 2

and

2 p − 4 − A − 9B p +1+ A 2 p − 4 − A + 9B (3 ) η η = η + η + η . 0 2 18 0 9 1 18 2

The constraint 3B ≡ (g(p−1)/3 − g2(p−1)/3) mod 3 identifies an unique choice from the two

possibilities ±B. These linear expansions generate the multiplication table for multiplication in a

cubic extension Fq3 of Fq with respect to the period normal basis { η0, η1 η2 }. The change of

basis matrix ηi → η0ηi coincides with the 3×3 submatrix T0 of the multiplication table T = [T0 T1 T2 ] of the cubic extension.

Lemma 20. The multiplication matrix of Fq3 over Fq is generated by

t0,0 t0,1 t0,2   2(A − 2 p − 5) 2 − 4 p − A + 9B 2 − 4 p − A − 9B   1   T = t t t = 2 p − 4 − A + 9B 2 p − 4 − A − 9B 2( p +1+ A) . 0  1,0 1,1 1,2  18     t2,0 t2,1 t2,2  2 p − 4 − A − 9B 2( p +1+ A) 2 p − 4 − A + 9B

Proof: These are the coefficients in the linear expansions η0ηi = ti,0η0 + ti,1η1 + ti,2η2. 

Lemma 21. Let { η0, η1, η2} be a period normal basis of Fq3 over Fq. Then the product of the ∈ two elements x = x0η0 + x1η1 + x2η2 and y = y0η0 + y1η1 + y2η2, xi, yi Fq, in Fq3 is given by

xy = c0η0 + c1η1 + c2η2, where c0 = x0y0t0,0 + x2y2t0,1 + x1y1t0,2 + (x0y1 + x1y0)t1,0 + (x1y2 + x2y1)t1,2+ (x0y2 + x2y0)t2,0,

c1 = x0y0t0,1 + x2y2t0,2 + x1y1t0,0 + (x0y1 + x1y0)t1,1 + (x1y2 + x2y1)t1,0+ (x0y2 + x2y0)t2,1,

c2 = x0y0t0,2 + x2y2t0,0 + x1y1t0,1 + (x0y1 + x1y0)t1,2 + (x1y2 + x2y1)t1,1+ (x0y2 + x2y0)t2,2,

and ci ∈ Fq.

Proof: Direct calculations. 

Theorem 22. The cubic extension Fq3 of Fq has an optimal normal basis for all even primes power q = 2v iff gcd(v, 3) = 1.

A proper selection of the integer k in the prime kn + 1 = 3k + 1 can reduce the number of − multiplications in Fq needed to compute the product xy in Fq3 to a minimal of 3n 2 = 7 multiplications in characteristic char(Fq) ≠ 2 or to a minimal of 2n − 1 = 5 multiplications in v characteristic char(Fq) = 2 with q = 2 , gcd(v, 3) = 1.

Example 23. Construct a normal basis of the cubic extension F53 of F5 of low complexity. Solution: Select a prime p = 3k + 1 which reduces the numbers of terms xiyj in the product to a minimal. Any prime in the sequences of primes p = 6k + 1, such that 4p = (30a+1)2 +

27(±(30b+1))2 is suitable because q = 5 is a cubic nonresidues and the multiplication submatrix is

t 0,0 t 0,1 t 0,2   −1 − 2 − B − 2 + B   = = − − − +  T0 t1,0 t1,1 t1,2  2 1 B 1 B 3  .     t 2,0 t 2,1 t 2,2  −1+ B 3 −1− B There are two matrices depending on B =1 or B = −1.These are

t 0,0 t 0,1 t 0,2  − 2 −1 − 2 − 2 − 2 −1   = =     T0 t1,0 t1,1 t1,2   1 0 1  or  0 1 1  .       t 2,0 t 2,1 t 2,2   0 1 1   1 1 0 

3 2 The period polynomial ψp(x) = x + x + x − 1 ∈ F5[x] is irreducible and invariant with respect to these primes.

The product xy = c0η0 + c1η1 + c2η2, where c0 = x0y0t0,0 + x2y2t0,1 + x1y1t0,2 + (x0y1 + x1y0)t1,0 + (x1y2 + x2y1)t1,2+ (x0y2 + x2y0)t2,0, c1 = x0y0t0,1 + x2y2t0,2 + x1y1t0,0 + (x0y1 + x1y0)t1,1 + (x1y2 + x2y1)t1,0+ (x0y2 + x2y0)t2,1, c2 = x0y0t0,2 + x2y2t0,0 + x1y1t0,1 + (x0y1 + x1y0)t1,2 + (x1y2 + x2y1)t1,1+ (x0y2 + x2y0)t2,2,

2 is computed with just n(3n − 2) + n = 30 multiplications in Fq. But regrouping the terms reduces it to only 22 multiplications. Further reduction is possible depending on the characteristic char(Fq).

Note: The quadratic term n2 in the total number of multiplications n(3n − 2) + n2 for bases of low complexity 3n − 2 accounts for the multiplications needed to obtain xiyj.

CHAPTER 8

Asymptotic Proofs For Primitive Polynomials

143

On the Coefficients of Polynomials in Finite Fields

N. A. Carella, January 2000.

ABSTRACT. In this paper we will demonstrate the existence of primitive polynomials of degree n with k prescribed consecutive coefficients in the finite field Fq for all sufficiently large odd q = pv such that k < p, and k < n(1/2 − ε) − 1.

Key words: Finite fields, coefficients, primitive and primitive normal polynomials.

Mathematics Subject Classifications: 11T06.

1 Introduction n n−1 n−2 Several authors have proved the existence of primitive polynomials f(x) = x + c1x + c2x + ⋅⋅⋅ + cn−1x + cn ∈ Fq[x] of prescribed traces c1 ∈ Fq, see [2] and [7]. There are exceptions, for instance, the quadratic primitive polynomials must be trinomials. The existence of primitive polynomials with one prescribed coefficient ci ∈ Fq, 0 < i < n, with many exceptions, has been conjectured in [5], this conjecture is valid for irreducible polynomials, see [3]; a limited version of this conjecture has recently been proved in [13]. In addition, a formula that enumerates the number of irreducible polynomials of degree n in F2[x] with c1 = cn−1 = 1, and cn = 1 appears in [9], and [4] has proven the existence of primitive polynomials with two prescribed consecutive coefficients c1, c2 ∈ Fq for all sufficiently large odd q, see Theorem 7. In this paper we will prove the existence of primitive polynomials with k prescribed consecutive coefficients c1, c2, ..., ck ∈ Fq provided certain restrictions are met. The precise statement is given below.

Theorem 1. (Coefficients Theorem) Let q = pv, and ε > 0. If k < p, and k < n(1/2 − ε) − 1, then n n−1 n−2 there exist a constant qε and a primitive polynomials f(x) = x + c1x + c2x + ⋅⋅⋅ + cn−1x + cn ∈ Fq[x] with k prescribed consecutive coefficients c1, c2, ..., ck ∈ Fq for all odd q ≥ qε.

* n n n−1 n−2 Since the reciprocal polynomial f (x) = x f(1/x) = x + an−1x + an−2x + ⋅⋅⋅ + a1x + a0, ai = cn−i / cn, of a primitive polynomial f(x) is also a primitive polynomial, the k prescribed consecutive coefficients can also be chosen in reversed order.

In section 2 we will post a few results needed in the proof, and section 3 covers the proof of the Coefficients Theorem.

144

2 Auxiliary Results ∈ Let Fq n be a finite field extension of Fq of degree n = [ Fq n : Fq ], and let z1, z2, ..., zn Fq n be the roots of the polynomial

n n−1 n−2 f(x) = (x − z1)(x − z2) ⋅⋅⋅ (x − zn) = x + c1x + c2x + ⋅⋅⋅ + cn−1x + cn ∈ Fq[x]. (1)

The coefficients ci of f(x) are functions of z1, z2, ..., zn given by the formulae

n c = − z , c = z z , ..., c = (−1)i z z z , c = (−1)n z z z . 1 ∑ i 2 ∑ v1 v2 i ∑ v1 v2 vi n 1 2 n i=1 1≤v1

i These functions are related to the symmetric functions σi by the relation ci = (−1) σi. The associated power sums are defined by

n i i i i wi = ∑ z j = z1 + z2 ++ zn , i ≥ 1. (3) j =1

Due to the structure of the roots of polynomials in characteristic ≠ 0 the power sums have the alternate form

n n i iq j i wi = ∑ z j = ∑α = Tr(α ), i ≥ 1, (4) j =1 j =1

α ∈ where Tr(x) is the trace of x, and Fq n is an element of degree n. These formulae allow one to compute or solve a problem about the coefficients of polynomials via power functions. Fast algorithms for computing the coefficients { ci } from the power functions { wi } (or conversely) in O(log n) steps are discussed in [11].

i Substituting the power sum wi = wi(α) = Tr(α ) in Newton’s identities yields the corresponding coefficients identities for finite fields. The coefficients identities are given by

k −i k k +1 i k −i (1) Tr(α ) = (−1) kck + ∑(−1) ciTr(α ) , for 1 ≤ k ≤ n, (5) i=1

n−1 k i k −i (2) Tr(α ) = ∑(−1) ciTr(α ) , for n < k. i=1

Since the reduction of formula (5-1) modulo p loses some information, it is convenient to consider formula (5-1) as two separate cases: n < p, and p ≤ n.

145

Case of n < p. In this case the reduction of formula (5-1) modulo is the same as in characteristic 0, so it works as usual – all the coefficients can be computed. In addition, we can use identity (5- 1) to rewrite the coefficient functions

2 i ci = ci(w1,w2,...,wi) = ci(Tr(α),Tr(α ),...,Tr(α )) (6)

2 i as function of the power functions w1 = Tr(α), w2 = Tr(α ), ..., wi = Tr(α ), or equivalently as function of the traces of the elements α, α2, ..., αi. A few of the coefficients are given below.

(1) c1 = −w1 , (7)

1 (2) c = (w2 − w ), 2 2! 1 2

1 (3) c = (w3 − w w + w ), 3 3! 1 1 2 3

1 (4) c = (2w4 + 4w2w + 4w w − 3w2 − 6w ), …., 4 4! 1 1 2 1 3 2 4

1 i1 i2 ik (k) ck = ∑aiw1 w2 wk , k! i

where 1 ≤ k ≤ n, and i = (i1, i2, …, ik).

In characteristic p > 2, a direct calculation of the second coefficient (7-2) using (2), namely,

q i +q j 1 2 2 c2 = ∑α = (Tr(α) − Tr(α )), (8) 0≤i< j

can be accomplished in a few steps, (the right hand side of this formula is well known in matrix theory). But a direct calculation of any of the other coefficients c3, c4, ..., cn−1, appears to be a lengthy and times consuming task. Even the third coefficient

q i +q j +q k 1 3 2 3 c3 = ∑α = (2Tr(α ) − Tr(α)Tr(α ) − Tr(α) ), (9) 0≤i< j

in characteristic p > 3, is difficult to calculate directly. However, using identity (5-1), this task becomes a simple algebraic manipulation. In summary, if the coefficients c1, c2, ..., ck are prescribed, then so are the powers functions w1, w2, ..., wk, and conversely.

v Case of p ≤ k. If q = p and p ≤ n, the first p − 1 coefficients c1, c2, ..., cp−1 of any polynomial of degree n in Fq[x] can be computed using formula (5-1). But the remaining coefficients cp, cp+1,

146

..., cn might not be computable since the reduction of identity (5-1) modulo p loses information. This case also has many exceptions, and will not be considered here.

Several other results which will be used later on are also included here, the proofs can be found in [1] or similar sources.

Lemma 2. Let N >>1, and let p runs through the prime divisors of N. Then

e−γ ϕ(N) (1+ O(1/ loglog N)) ≤ = ∏(1−1/ p) (10) loglog N N p|N

The constant e-γ = .5615... is important whenever N is a small integer, but for sufficiently large N, we can use the simpler asymptotic formula 1/loglogN ≤ ϕ(N)/N. It is clear that the inequalities 0 < ϕ(N)/N < 1 holds, and ϕ(N)/N ≤ 1/2 if N is even. If N = qn − 1, q a prime power, then the ratio ϕ P1 = (N)/N is interpreted as the probability of primitive elements in Fq n .

The omega function is defined by ω(N) = #{ distinct prime divisors of N }. The inequality 2ω(N) < 22logN/loglogN is quite useful in analysis, but we will utilize the following.

ω(N) ε Lemma 3. If ε > 0, and N ≥ 1, then exists a constant Cε > 0 such that 2 < CεN .

The construction of the existence equation (15) of primitive polynomials with prescribed consecutive coefficients is based on the two exponential sums

ϕ(qn −1) µ(d) χ ξ (1) n ∑ ∑ ( ) and (11) q −1 d|q n −1 ϕ(d) ord (χ )=d 1 (2) ∑ ∑ψ (x(Tr( f (α)) − a)) q α∈F x∈F q n q

χ χ  n − n where is a multiplicative character of order d = ord( ), d q 1, on the finite field Fq n of q

elements, and ψ ≠ 1 is a nontrivial additive character on Fq respectively. The first sum is the

characteristic function of primitive elements in Fq n , and the second sum gives the cardinality of α ∈ α − − the solution set { Fq n : Tr(f( )) a = 0 } of the equation Tr(f(x)) a = 0 in Fq n , where f(x) ∈ is a function on Fq n , and a Fq is a constant. The product of these two sums gives the number − of primitive elements solutions of the equation Tr(f(x)) a = 0 in Fq n .

Lemma 4. ([14]) Let χ, ψ ≠ 1 be a pair of nontrivial multiplicative and additive characters, and let f(x), g(x) ∈ Fq[x] be polynomials of degrees k = deg(f) and m = deg(g) respectively. Then

147

∑ χ( f (x))ψ (Tr(g(x))) ≤ (k + m −1)qn / 2 . (12) x∈F q n

3 Proof of the Coefficients Theorem n The total number ϕ(q −1)/n of primitive polynomials of degree n in Fq[x] is an upper limit of the cardinality of any proper subset of primitive polynomials. Specifically, we are interested in the subset ℑ = { primitive polynomials of degree n with k prescribed coefficients } of cardinality #ℑ ≥ qk. Clearly the absolute maximal number k of independent coefficients satisfies the inequalities

ϕ(qn −1) qn −1 qk ≤ ≤ P (13) n n 1

This count also includes cn as an independent coefficient. Consequently, k < n − logn/logq, which means that at least one coefficient among c1, c2, ..., cn remains dependent on the other coefficients. For small q < n, there are fewer linearly independent coefficients since

q 2q 2 wq = Tr(α ) = Tr(α) = w1, w2q = Tr(α ) = Tr(α ) = w2 , et cetera.

2 Example 5. (1) The quadratic primitive polynomials x + c1x + c2 ∈ Fq[x] can be selected with prescribed traces 0 ≠ c1 ∈ Fq, or norm c2 for all q. But since k ≤ n − 1 = 1, the two coefficients 0 2 ≠ c1 and c2 cannot be selected independently, in fact, ϕ(q −1)/2 < (q − 1)ϕ(q−1), for all q > 3.

3 2 (2) The cubic primitive polynomials x + c1x + c2x + c3 ∈ Fq[x] can be selected with at most two independent coefficients since k ≤ n − 1 = 2, in fact ϕ(q3−1)/3 < q2ϕ(q−1) for all q ≥ 2. For 3 2 3 2 3 instance, x + c1x + c2x + c3 = x + x + 1 or x + x + 1 ∈ F2[x] is a primitive polynomial with one independent coefficient c1 or c2. In characteristic p > 2, some cubic primitive polynomials 3 2 can be selected with two independent coefficients c1 and c3, for instance, x + c1x + c2x + c3 ∈ F5[x].

The key idea in the proof of Theorem 1 is to show that the system of polynomials equations

2 k Tr(x) = a1, Tr(x ) = a2, ..., Tr(x ) = ak, (14)

∈ ξ ∈ ai Fq constants, has at least one primitive element solution x = Fq n . This in turns implies n n-1 n-1 the existence of at least one primitive polynomial f(x) = x + c1x + c2x + ⋅⋅⋅ + cn-1x + cn with k prescribed consecutive coefficients. The constants a1,a2,...,ak indirectly prescribes the k coefficients, viz,

2 2 k c1 = −Tr(ξ), c2 = c2(Tr(ξ),Tr(ξ )), ..., ck = ck(Tr(ξ),Tr(ξ ),...,Tr(ξ )).

This system of polynomials equations, which is a direct consequence of (4), generalize the existence equation (15) used in the investigation of the distribution of the values of c1, c2, ..., ck

148

to all the coefficients possible. The analysis of the case k = 1 appears in [2], and [7], et cetera, and the more recent analysis of the case k = 2 is given in [4].

The technique we use to estimate the number of primitive solutions of this system of equations has some similarity to a method used to estimate the covering radii of algebraic codes, see [6], and [10].

The number of primitive polynomials with k prescribed consecutive coefficients is given by (existence equation for k < p)

ϕ(qn −1) µ(d)  k 1  N(qn ,a ) =  χ(ξ )  ψ (x (Tr( f (ξ i )) − ai )) (15) i ∑  n ∑ ∑ ∏ ∑ i  0≠ξ∈F q −1 n − ϕ(d) ord (χ )=d i=1 q x ∈F q n  d|q 1  i q 

This is a k-fold product of formula (11-1) and (11-2). The usual strategy of dealing with this type of sum is to decompose it into several sums, and then compute a lower estimate, consult [4], [7], [8], [10], and [12] for background details and other references on this type of analysis. To obtain a suitable decomposition of equation (15), rewrite it as

n k N(q ,a1,...,ak ) = q P1

µ(d) 2 k − ∑ ∑ ∑ ∑ χ(ξ )ψ (Tr(x1ξ + x2ξ ++ xkξ ) − a1x1 + a2 x2 ++ ak xk )) n − ϕ(d) ord (χ )=d x ,x ,...,x ∈F 0≠ξ∈F d|q 1 1 2 k q q n

The decomposition that employed is given by

n k N(q ,a1,...,ak ) = q P1(S0 + S1 + S2 + S3 ) (17)

n The first sum is S0 = q − 1, the second sum is

2 k S1 = ∑ ∑ψ (Tr(x1ξ + x2ξ +  + xkξ ) − a1x1 + a2 x2 +  + ak xk )) (x , x ,..., x )≠(0,0,...,0), 0≠ξ∈F 1 2 k q n (18)

the third sum is S2 = 0, and the fourth sum is

µ(d) 2 k S3 = ∑ ∑ ∑ ∑ χ(ξ )ψ (Tr(x1ξ + x2ξ + + xkξ ) − a1x1 + a2 x2 + + ak xk )) ≠ n − ϕ(d) ord (χ )=d , (x ,x ,...,x )≠(0,0,...0), 0≠ξ∈F 1 d|q 1 1 2 k q n

These sums are determined by the restrictions of the inner term of (16) to the subsets of vectors

V0 = { (d=1,0,0,...,0,ξ≠0) }, V1 = { (d=1,x1,x2,...,xk,ξ≠0) : (x1,x2,...,xk)≠(0,...,0), xi ∈ Fq }, n V2 = { (d≠1,0,0,...,0,ξ≠0) : d  q − 1 }, and n V3 = { (d≠1,x1,x2,...,xk,ξ≠0) : d  q − 1, (x1,x2,...,xk)≠(0,...,0), xi ∈ Fq } respectively.

149

n To compute a lower estimate of N(q ,a1,...,ak), based on this decomposition, oneneeds he upper estimates of the sums S1 and S3.

k n/2 ω k n/2 Lemma 6. (1)  S1  ≤ (q − 1)(k − 1)q , and (2)  S3  ≤ (2 − 1)(q − 1)(kq ), where ω = ω(qn−1) is the number of distinct prime divisors of qn − 1.

Proof: Take the absolute value of equations (18) and (19) and apply Lemma 5. 

n Proof : The condition k < p allows us to use (15). Replace S0 = q − 1, S2 = 0, and the minimal ω k n/2 estimate S1, S3 ≥ −(2 − 1)⋅q ⋅(kq ) in (17) to obtain

n k n ω (q n −1) n / 2+k N(q ,a1,...,ak ) ≥ q P1(q −1− 2(2 −1)kq ) (20)

ω(N) ε Substitute 2 = CεN , (see Lemma 3), and rearrange to obtain

n k −k k +1−n(1 / 2−ε ) N(q ,a1,...,ak ) ≥ q P1(1− 2Cε q ) (21)

Since 0 < P1 < 1, and by assumption k < n(1/2 − ε) − 1, it immediately follows that there exists a n constant qε such that N(q ,a1,...,ak) ≥ 1 for all odd q ≥ qε. 

ω In the (asymptotic) analysis over large finite fields Fq given above, the estimate  Si  ≤ (2 − 1) (kqn/2+k) is adequate. However, to investigate the existence of primitive polynomials of small degrees with k prescribed coefficients over small finite fields Fq, detailed analysis of all the ω n/2+k individual sums Si can improve the upper estimates  Si  ≤ (2 − 1)(kq ), this in turns reduces the number of cases to be checked. The detailed analysis on the case k = 2 appears in [4], which concludes in the following, (valid for odd q only).

Theorem 7. ([4]) Suppose n ≥ 7, then there exists a primitive polynomial in Fq[x] of degree n with the first and second coefficients prescribed in advance.

Case of k ≤ 4. This case corresponds to primitive polynomials with k ≤ 4 prescribed consecutive v coefficients c1, c2, c3, c4 ∈ Fq. Since this case requires 4 < p, let q = p , with p ≥ 5, and let ε = log2/log29 = 0.2058468324604... . It is not difficult to verify that this choice of constant ε leads ω(N) ε .205847 to 2 < CεN = 10N . Moreover, one has

ω (N ) − ε +  1  ϕ(N) q ( log N log Cε ) / log q <   (22)  2  N

150

for all q > 1 and N > 0. Now equation (20) becomes

n n(1−ε )−k −log Cε / log q k +1−n(1 / 2−ε )+(log 2+log Cε ) / log q N(q ,a1,...,ak ) ≥ q (1− q ) (23)

Using equation (23) and the stated parameters we determine the following two cases.

(1) There are primitive polynomials of degree n > 10 with k = 3 prescribed consecutive v coefficients c1, c2, c3 ∈ Fq for all q = p , with p ≥ 5.

(2) There are primitive polynomials of degree n > 11 with k = 4 prescribed consecutive v coefficients c1, c2, c3, c4 ∈ Fq for all q = p , with p ≥ 5.

v These estimates assume that q = p = 5, but for larger q = p >> 5, the parameters ε and Cε can be readjusted to reduce the minimal n.

151

REFERENCES: [1] T.M. Apostol, Introduction to Analytic Number Theory, Springer-Verlag, N.Y., 1984. [2] S.D. Cohen, Primitive elements and polynomials with arbitrary trace, Discrete Math. 11 (1990), 1 - 7. [3] K. Ham, G. L. Mullen, Distribution of irreducible polynomials of small degrees over finite fields, Math. Comp. Vol. 67, No. 221, 1998, pp.337 - 341. [4] W. B. Han, The coefficients of primitive polynomials over finite fields, Math. Comp. Vol. 65, No. 213, 1996, pp. 331 - 340. [5] Hansen, G. L. Mullen, Primitive polynomials over finite fields, Math. Comp. Vol. 59, No. 211, 1992, pp.639 - 643. [6] T. Helleseth, On the Covering Radius of Cyclic Codes and Arithmetic Codes, Disc. Appl. Math. 11 (1985) 157 - 173. [7] Dieter Jungnickel, Scott A. Vanstone, On Primitive Polynomials over Finite Fields, Journal of Algebra 124, 337 - 353 (1989). [8] H.W. Lenstra, R.J. Schoof, Primitive Normal Bases for Finite Fields; Math. of Computation, Vol. 48, Number 193, January 1987, pp. 217 - 231. [9] H. Niederreiter, An enumeration formula for certain irreducible polynomials with application to the construction of irreducible polynomials over the binary field, Applicable Algebra 1 (1990), pp.119 - 124. [10] O. Moreno, C. Moreno, Exponential Sums I and Goppa Codes, Proc. Amer. Math. Soc. Vol. 11 No. 2, Feb. 1991, pp. 523-531. [11] V. Y. Pan, Polynomials and Matrix Computations Volumes 1 Fundamental Algorithms, pp. 33-35, Birkhauser, Boston, 1994. [12] F. Pappalardi, Igor E. Shparlinski, Artin’s Conjecture in Functions fields, Finite Fields And Theirs Applications, 1, 399 - 404, 1995. [13] Daquing Wan, Generators and irreducible polynomials over finite fields, Math. Comp. Vol. 66, No. 219, 1997, pp.1195 - 1212. [14] A. Weil, On some exponential sums, Proc. Nat. Acad. Sciences. 34 , pp.204-207.

January 2000, Rev. 4.

152

On the Coefficients of Primitive Normal Polynomials N. A. Carella, October 2005.

Abstract: The previous paper of the Winter 1998/1999 proved the existence of primitive polynomials, and primitive normal polynomials of degree n with k prescribed coefficients in the v finite field Fq for all sufficiently large powers q = p such that k < p, and k < n(1 – ε) – 1, ε > 0. This paper presents a longer version of the result on primitive normal polynomials.

Keywords: Polynomials in finite fields, primitive polynomials, primitive normal polynomials.

Mathematics subject classification: 11T06.

1 Introduction Let q = pv be a sufficiently large prime power, and let k and n be a pair of integers such that k < p, and k < n(1 – ε) – 1, ε > 0. This work is a longer version of the analysis on the distribution of the coefficients of primitive polynomials and primitive normal polynomials in finite fields started in [4]. The previous results proved the existence of primitive polynomials and to primitive n n−1 normal polynomials f(x) = x + a1x + ⋅⋅⋅ + an−1x + an ∈ Fq[x] with k prescribed consecutive coefficients a1 ≠ 0, a2, …, ak ∈ Fq in finite fields of odd characteristic p. A primitive polynomial has roots of multiplicative order qn – 1; and a normal polynomial has roots of additive order xn – 1, which is the same as having nonzero trace and linearly independent roots.

Theorem 1. (Extended Coefficient Theorem) Let q = pv, p prime, and let k and n be a pair of integers such that k < p, and k < n(1 – ε) – 1, ε > 0. Then there exists a primitive normal polynomial f(x) ∈ Fq[x] with k prescribed coefficients for all odd q ≥ q0.

The case k = 1 was considered in [3], it showed that the existence of primitive normal polynomials of prescribed trace a1 ≠ 0 for all pairs (n, q) but a finite numbers of exceptions.

2 n−1 η η q η q η q A primitive normal basis is a basis { , , ,..., } of the vector space Fqn over Fq generated η ∈ by a primitive normal element Fqn . The asymptotic proof of the Primitive Normal Basis Theorem was first established by both [5], and [8]. And the complete version for all pair n, q was established by [15].

Theorem 2. (Primitive Normal Basis Theorem) Let Fqn be an n-degree extension of Fq. Then

Fqn has a primitive normal basis over Fq.

The next result is a refinement of the Theorem 2, it calls for primitive normal elements of

153

arbitrary traces.

Theorem 3. (Primitive Normal Basis Theorem Of Arbitrary Trace) For every a ≠ 0 in Fq, there

exists a primitive normal element in Fqn of trace a.

The refinement was proposed as a conjecture in [17], and its first asymptotic proof was completed in [3]. About two years later it was extended to all pairs n, q in [7]. A much more general extension remains an open problem.

Conjecture 4. (Morgan-Mullen 1996) Let q be a prime power and let n > 3 be an integer. Then there exists a completely normal primitive polynomial of degree n over Fq.

2 Auxiliary Results This section introduces several concepts used to study the distribution of elements and the coefficients of polynomials in finite fields.

Characteristic Functions

1 if α satisfies the properties, C(α) =  (1)  0 otherwise,

α ∈ for all elements Fq n .

The Characteristic Function of Primitive Elements  n − Let χ be a multiplicative character of order d = ord(χ), d q 1, on Fqn , see [16]. The characteristic function of primitive elements in Fqn is defined by

ϕ(qn −1) μ(d) = CP (α) n ∑ ∑ χ(α), (2) q −1 d | qn−1 ϕ(d) ord ( χ )=d

α ∈ n µ ϕ where Fq , and the arithmetic functions and are the Mobius and Euler functions on the ring of integers ℤ respectively, see [1], and [18]. A product version of this formula has the shape

ϕ(qn −1)  1  α =  − χ α  CP ( ) n ∏ 1 ∑ ( ) , (3) n − q −1 p q −1 p 1 ord( χ )= p 

154

where p runs through the prime divisors of qn − 1. The transformation used to obtain this form is straightforward and appears throughout the literature, other forms of this characteristic function are also possible.

The function CP(α) is one of the basic tools used in the investigation of the distribution of primitive elements in finite fields. Typical applications are illustrated in [14], [20], [21], etc.

The Characteristic Function of Normal Elements ψ ψ  n − Let be an additive character of order f(x) = Ord( ) x 1 on Fqn , see [5], and [15]. The

characteristic function of normal elements in Fqn is defined by

Φ(xn −1) M (d(x)) α = ψ n − α CN ( ) n ∑ ∑ ([(x 1)/ d(x)] ) , (4) q d (x) |x n −1 Φ(d(x)) Ord (ψ )=d (x)

α ∈ n Μ Ω where Fq , and the arithmetic functions and are the Mobius and Euler functions on the

ring of polynomials Fq[x] respectively, see [9], [15], etc, for more details. The product version of this formula has the form

Φ(xn −1)  1  α =  − ψ n − α  , (5) CN ( ) n ∏ 1 deg( f (x)) ∑ ([x 1)/ f (x)] ) n − q f (x) x −1 q 1 Ord (ψ )= f (x) 

where f(x) runs through the irreducible factors of xn − 1, see [15], etc.

u v n n Example 5. For the parameter n = p , q = p , the polynomial x − 1 = (x − 1) ∈ Fq[x] and the n − α α → − expression [(x 1)/g(x)]∘ = Tr( ) is the trace Tr : Fqn Fq, (since f(x) = x 1 is the only n − irreducible factor of x 1). Thus the characteristic function of normal elements in Fqn is

 1   0 if Tr(α) = 0, α = −  − ψ α  = C N ( ) (1 1/ q)1 ∑ (Tr( ))  (6)  q −1 Ord(ψ )=x−1  1 if Tr(α) ≠ 0.

The Characteristic Function of Primitive Normal Elements The product of the characteristic function of primitive elements (2) and the characteristic

function of normal elements (4) in Fqn realizes the characteristic function of primitive normal elements. Specifically

ϕ(qn −1) Φ(xn −1) µ(d) M ( f (x)) α = χ α ψ β CPN ( ) n n ∑ ∑ ∑ ∑ ( ) ( ) , (7) q −1 q d q n −1 ϕ(d) f (x) |x n −1 Φ( f (x)) Ord (ψ )= f (x) ord (χ )=d

155

n α ∈ n β − α where Fq , and = [(x 1)/f(x)]∘ .

The function CPN(α) is one of the basic tools used in the investigation of the distribution of primitive normal elements in finite fields. Typical applications are illustrated in [17], [4], etc, and in this paper.

The Characteristic Function of Completely Normal Elements η ∈ η An element Fqn is completely normal if and only if is a normal element in Fqn over Fqd

for all d | n. The characteristic function of completely normal elements in Fqn is constructed from

the product of the characteristic functions of normal elements in Fqn over Fqd for all d | n. Here

Fqn is an extension of Fqd of degree e = [ Fqn : Fqd ], with n = de. Thus it follows that the characteristic function of completely normal elements is the product of the individual functions:

 Φ(xe −1) M ( f (x))  α =  ψ e − α  CCN ( ) ∏ e ∑ ∑ ([x 1)/ f (x)] )  e Φ  e|n  q f (x) |x −1 ( f (x)) Ord (ψ )= f (x)  (8) Φ(xe −1)  1  =  − ψ e − α  ∏ ∏ e 1 deg( f (x)) ∑ ([x 1)/ f (x)] ), e|n f (x)|x e −1 q  q −1 Ord(ψ )= f (x) 

e α ∈ n − ∈ d where Fq , and f(x) runs through the irreducible factors of x 1 Fq [x].

u v n − − n ∈ Example 6. For the parameter n = p , q = p , the polynomial x 1 = (x 1) F pi [x] and the q n − α α → ≤ − expression [(x 1)/f(x)]∘ = Tri( ) is the trace Tri : F pu F pi , 0 i < u, (since f(x) = x q q 1 is the only irreducible factor of xn − 1). Thus the characteristic function of completely normal

elements in Fqn is

u−1 i   p  1  C (α) = 1−1/ q 1− i ψ (Tr(α)) . (9) CN ∏( ) p ∑  i=0  q −1 Ord (ψ )=x−1 

Some Probabilities Formulae n n The probabilities P1 = P(ord(α)=q −1) and P2 = P(Ord(α)=x −1) respectively of primitive α elements and normal elements in a finite field extension Fq n of Fq are given by

ϕ(qn −1) e−γ = = − ≥ P1 n ∏ (1 1/ p) n (10) q −1 p|q n −1 log(q −1)

where p ranges over the prime divisors of qn − 1, and

156

Φ(xn −1) = = − deg( f ) ≥ − n P2 n ∏(1 1/ p ) (1 1/ q) , (11) q f (x)| x n −1

where f(x) ranges over the irreducible divisors of xn − 1 respectively. The degree deg(f) = d of each irreducible factor f(x) is a divisor of n.

The distribution of primitive normal elements is more intricate than either the distribution of primitive elements or the distribution of normal elements. An exact closed form formula for the

number of primitive normal bases of Fqn over Fq appears to be unknown. However there are n asymptotic approximations. For example, the probabilities P3 = P(ord(α)=q −1 and Ord(α)=xn−1) of primitive normal elements is approximated by

ϕ(qn −1) Φ(xn −1) e−γ (1−1/ q)n P ≈ ≥ . (12) 3 qn −1 qn log(qn −1)

It is clear that if q is sufficiently large, P1 and P3 are essentially the same. In fact the probabilities P1 and P2 are asymptotically independent. This means that the cardinalities of the sets of primitive polynomials and primitive normal polynomials, namely,

ϕ(qn −1) e−γ (qn −1) ϕ(qn −1)Φ(xn −1) e−γ (q −1)n ~ and ~ , (13) n nlog(qn −1) n nlog(qn −1)

are very close. Thus the results for the coefficients of primitive polynomials and primitive normal polynomials are about the same. Another approximation due to [5] for the number of primitive normal elements is

ϕ(q n −1)Φ(x n −1) PN (q) = + O(q (.5+ε )n ) , (14) n q n for all ε > 0.

Estimate of exponential sums A few estimates are required in order to derive nontrivial results on the distribution of elements in finite fields.

χ Theorem 7. If ≠ 1 is a nontrivial multiplicative character on Fq n , then

∑ χ(ξ ) ≤ q(n−1) / 2 . (15) Tr(ξ )≠0

157

ψ Theorem 8. Let and χ be a pair of nontrivial additive and multiplicative characters on Fq n ,

and let f(x), g(x) ∈ Fq[x] be polynomials of degrees k and m respectively. Then

∑ψ ( f (x))χ(g(x))) ≤ (k + m −1)qn / 2 , (16) x∈F qn

where f(x), g(x) are not q powers and k + m is the number of distinct roots of f and g in the splitting field, see [22], [24], and [25].

The point counting function The point counting function

1 Sa (ξ ) = ∑ ∑ψ (x( f (ξ ) − a)) (17) q ξ∈F x∈F qn q

ξ ∈ n ξ − enumerates the cardinality of the solution set { Fq : Tr(f( )) a = 0 } of the equation

ξ − n n ∈ Tr(f( )) a = 0 in Fq , where f(x) is a function on Fq , and a Fq is a constant.

Newton identities in finite fields n n−1 The coefficients of the polynomial f(x) = x + a1x + ⋅⋅⋅ + an−1x + an are given by

a = − z , a = z z , ..., a = (−1)i z z , ..., a = (−1)n z , (18) 1 ∑ i 2 ∑ i1 i2 i ∑ i1 ii n ∏ i 1≤i≤n 1≤i1

where z1, z2, …, zn are its roots. The symmetric functions σi(z1,…,zn) and the coefficients ai are i equal up to a sign, that is, ai = (−1) σi(z1,…,zn). The associated power sums are defined by

i i i i wi = ∑ z j = z1 + z2 ++ zn , i ≥ 1. (19) 1≤ j≤n

The cyclic structure of the roots of polynomials in cyclic extensions can be utilized to transform the power sums into different forms. Specifically, in finite fields the power sums become

i iq j i wi = ∑ z j = ∑α = Tr(α ), i ≥ 1, (20) 1≤ j≤n 1≤ j≤n

q j where zi = α some j = 0, 1, …, n − 1, and f(α) = 0. Replacing the power sums in Newton identities (1707) yields the corresponding identities for finite fields:

k −1 k k −i (1) Tr(α ) = −kak − ∑aiTr(α ), 1 ≤ k ≤ n, (21) i=1

158

k −1 k k −i (2) Tr(α ) = −∑aiTr(α ), n < k. i=1 These formulae are employed to solve problems about the coefficients of polynomials via the power sums. Fast algorithms for computing the coefficients from the power sums and conversely in O(nlog(n) operations are discussed in [2]. A few of the coefficients are given here in terms of i the power sums wi = Tr(α ). q q 2 q n−1 (1) a1 = −w1 = −Tr(α) = −(α + α + α + + α ) , (22)

−1 2 (2) a2 = (2!) (w1 − w2 ) ,

−1 3 (3) a3 = (3!) (−w1 − w1w2 + 2w3 ) ,

−1 4 2 2 (4) a4 = (4!) (2w1 + 4w1 w2 − 3w2 + 4w1w3 − 6w4 ) ,

−1 e1 e2 ek (k) ak = (k!) ∑aew1 w2 wk , e = (e1,...,ek ), ei ≥ 0, k ≤ n . e

These formula are defined in characteristic p > k. A direct calculation of the second coefficient

q i +q j −1 2 2 a2 = ∑α = (2!) (Tr(α) − Tr(α )) (23) 0≤i< j

in characteristic p > 2 can be accomplished in a few lines. But direct calculations of the other coefficients appear to be a lengthy and difficult task. Even the third coefficient

q i +q j +q k −1 3 2 3 a3 = ∑α = (3!) (2Tr(α) − Tr(α)Tr(α ) − Tr(α )) (24) 0≤i< j

in characteristic p > 3 is difficult to compute directly. But using Newton identities in finite fields (21) this task is a simple algebraic manipulation.

Coefficients system of equations

Let c1, c2, ..., ck ∈ Fq be constants. The strategy of the analysis is to show that the system of equations

2 k Tr(x) = c1, Tr(x ) = c2, ..., Tr(x ) = ck (25)

α ∈ n has at least one primitive normal element solution x = Fq . This in turn implies the existence of at least one primitive normal polynomial f(x) with k prescribed consecutive coefficients. The constants c1, c2, ..., ck indirectly prescribes the k coefficients, namely,

2 2 k a1 = −Tr(α), a2 = a2(Tr(α),Tr(α )), ..., ak = ak(Tr(α),Tr(α ),...,Tr(α )). (26)

159

The derivation of (24) from (23), which is a direct consequence of Newton identities in finite fields. The application of (23), (24), and its use in the exponential sum (17) are the key ideas in the proofs of several problems on the existence and distribution of the coefficients of certain polynomials over finite fields. I observed the relationship between the trace function and Newton identities in the early 1990's while investigating the trace representations of sequences, and applied it to the theory of coefficients of primitive polynomials in [4].

3 The Extended Coefficient Theorem There are various ways of extending the result on primitive polynomials of degree n with k prescribed coefficients in the finite field Fq given in [4]. The refinement given here extends it to primitive normal polynomials. The constraint of linearly independent roots on the roots of polynomials restricts the set of primitive normal polynomials to a proper subset of set primitive polynomials. There is one exception; the set of quadratic primitive polynomials and the set of quadratic primitive normal polynomials coincide.

The first line of the proof given below, using a reductio ad absurdum argument, combines the various characteristic functions and the point counting function:

k C (α)C (α) S (α) = 0 . (27) ∑ N P ∏ ci Tr(α )≠0, α∈F i=1 qn

This claims that there is no primitive normal element solution of equation (23). The usual and standard strategy of dealing with this type of equation is to decompose it into several sums, and then compute a lower estimate, which contradicts the equality, consult [3], [4], [5], [8], [13], [14], [15], [16], [20], and [21] for background details and other references on this type of analysis.

Proof of Theorem 1: The number of primitive normal polynomials with k prescribed consecutive coefficients a1 ≠ 0, a2, …, ak ∈ Fq, q odd, is given by (28) ϕ(qn −1) µ(d)  N *(n,q,c ,...,c ) =  χ(ξ ) 1 k ∑  n ∑ ∑  ξ ≠ ξ∈ q −1 n ϕ(d) χ = Tr( ) 0, F n  d |q −1 ord ( ) d  q  Φ(xn −1) M ( f )  k 1  ×  ψ (Tr(ξ )) ψ (x (Tr(ξ ) − c )),  n ∑ ∑ ∏ ∑ i i  q −1 n Φ( f ) ψ = = q ∈  f |x −1 Ord ( ) f  i 1 xi Fq 

One possible approach to deal with (26) is to decompose it according to the order Ord(ψ) = 1 or Ord(ψ) ≠ 1 of the additive character ψ. To accomplish this, rewrite it as (29)

160

PP M ( f ) µ(d) * = 1 2 N (n,q,c1,...,ck ) k ∑ ∑ ∑ q f |x n −1 Φ( f ) Ord (ψ )= f d|q n −1 ϕ(d) k k i × ∑ ∑ ∑ χ(ξ )ψ (Tr(ξ + ∑ xiξ ) −∑ci xi ). ord (χ )=d x ∈F Tr(ξ )≠0,ξ∈F i=1 i=1 i q qn

Now separate (27) into two terms corresponding to Ord(ψ) = 1 or Ord(ψ) ≠ 1, and simplify to obtain (30)   N * (n,q,c ,...,c ) = PP qn−1(q −1) − χ(ξ ) − P N(n,q,c ,...,c ) 1 k 1 2  ∑  2 1 k Tr(ξ )≠0,ξ∈F  qn 

  − 1 = PP qn 1(q −1) − N(n,q,c ,...,c ) − χ(ξ ), 1 2  1 k ∑  P1 Tr(ξ )≠0,ξ∈F  qn 

n−1 − where q (q 1) is the number of elements in Fq n of nonzero traces, and N(n,q,c1,…, ck) denotes n n−1 the total number of primitive polynomials f(x) = x + a1x + ⋅⋅⋅ + an−1x + an ∈ Fq[x] with k prescribed consecutive coefficients a1 ≠ 0, a2, …, ak ∈ Fq.

k n−s −1 −1 nε Replacing the estimates q ≤ N(n,q,c1,…, ck) ≤ q , ∏(1−1/ p) = P1 < cε q , where s > 0 is a p|q n −1 small integer, ε > 0, and cε is a constant, and the exponential sum estimate yields

−  1 c  * ≥ n 1 − − − ε  N (n,q,c1,...,ck ) P1P2q q 1 (n−1) / 2 s−εn−1  . (31)  q q 

Since the product of the probabilities is in the range 0 < P1P2 < 1, it readily follows that if k < p,

then there exists a constant q1 such that N*(n,q,c1,…, ck) ≥ 1 for all q ≥ q1, and s < εn + 1. ∎

This approach leads to a relatively easy proof of the Theorem 1, it avoids the need to deal with the estimates of various exponential sums, and the function Ω(xn−1) which enumerates the n distinct irreducible factors of x − 1 ∈ Fq[x]. The case k = 1 reduces to the primitive normal basis theorem of arbitrary trace. In fact this is a simpler proof than the first proof given in [3] using a variation of this technique.

161

REFERENCES: [1] T. M. Apostol, Introduction to Analytic Number Theory, Springer-Verlag, N.Y., 1984. [2] D. Bini, V. Y. Pan, Polynomial and matrix computations. Vol. 1. Fundamental algorithms. Birkhauese Inc., Boston, MA, 1994. [3] N. A. Carella, On primitive normal elements of arbitrary traces, Preprint, Submitted to Finite Fields and Applications in 1996. [4] ______, On the coefficients of primitive polynomials, Preprint, Submitted to Finite Fields and Applications in 1998/1999. [5] L. Carlitz, Distribution of Primitive Roots in Finite Fields, Quarterly J. Math. 4 (1953) p.125- 156. [6] S.D. Cohen, Primitive elements and polynomials with arbitrary trace, Discrete Math. 11 (1990), 1-7. [7] S.D. Cohen, D. Hachenberger, Primitive normal bases with prescribed trace. Appl. Algebra Engrg. Comm. Comput. 9 (1999), No. 5, 383-403. [8] H. Davenport, Bases for finite fields, J. London Math. Soc. 43, 1968, p.21-39; Vol. 44, 1969, p. 378. [9] J. von zur Gathen, M. Giesbrecht, Constructing normal bases in finite fields, J. Symbolic Computation, (1990) 10, p.547-560. [10] K. Ham, G. L. Mullen, Distribution of irreducible polynomials of small degrees over finite fields, Math. Comp. Vol. 67, No. 221, 1998, pp.337 - 341. [11] W. B. Han, The coefficients of primitive polynomials over finite fields, Math. Comp. Vol. 65, No. 213, 1996, pp. 331 - 340. [12] Hansen, G. L. Mullen, Primitive polynomials over finite fields, Math. Comp. Vol. 59, No. 211, 1992, pp.639 - 643. [13] T. Helleseth, On the Covering Radius of Cyclic Codes and Arithmetic Codes, Disc. Appl. Math. 11 (1985) 157 - 173. [14] Dieter Jungnickel, Scott A. Vanstone, On Primitive Polynomials over Finite Fields, Journal of Algebra 124, 337-353 (1989). [15] H.W. Lenstra, R.J. Schoof, Primitive Normal Bases for Finite Fields; Math. of Computation, Vol. 48, Number 193, January 1987, pp. 217-231. [16] Rudolf Lidl, Harald Niederreiter, Finite Fields, Encyclopedia of Mathematics and its Applications Vol. 20, 1983, Addison-Wesley Publishing Company. [17] Ilene Morgan, Gary Mullen, Primitive Normal Polynomials Over Finite Fields, Math. Comp. Vol. 63, No. 208, October 1994, p.759-765. [18] Ivan Niven et al., An Introduction to the Theory of Numbers, John Wiley and Sons, N.Y., 1991. [19] O. Moreno, C. Moreno, Exponential Sums I and Goppa Codes, Proc. Amer. Math. Soc. Vol. 11 No. 2, Feb. 1991, pp. 523-531. [20] Oscar Moreno, On Primitive Elements Of Trace Equal To 1 In GF(2m), Discrete Math. 41 (1982) p.53-56. [21] Oscar Moreno, On the Existence of a Primitive Quadratic of Trace 1 over GF(pm), J. Combinatorial Theory Series A 51, 104-110 (1989) [22] F. Pappalardi, Igor E. Shparlinski, Artin’s Conjecture in Functions fields, Finite Fields And Theirs Applications, 1, 399 - 404, 1995.

162

[23] Igor E. Shparlinski, Computations and Algorithmic Problems in Finite Fields, Kluwer Academic Press, 1992. [24] Daquing Wan, Generators and irreducible polynomials over finite fields, Math. Comp. Vol. 66, No. 219, 1997, pp.1195 - 1212. [25] A. Weil, On some exponential sums, Proc. Nat. Acad. Sciences. 34, pp.204-207.

163

164 REFERENCES:

A [1] L.M. Adleman, J. DeMarrais, A subexponetial-time algorithm for computing discrete logarithm over finite fields, Math. Comp. Vol. 61, 1993, pp. 1-15. [1] G.B. Agnew, R.C. Mullin, and S.A. Vanstone, An implementation of elliptic curve cryptosystems over GF(2155), IEEE J. on Selected Areas in Communications, Vol. 11, No. 5, June 1993, pp. 804-813. [2] G.B. Agnew et al., An Implementation for Fast Public - Key Cryptosystem, J. Cryptology, (1991) 3:63 - 79. [1] Safwan Akbik, Normal generators over finite fields, J. Number Theory 41, 1992, pp.146-149. [1] T.M. Apostol, Introduction to Analytic Number Theory, Springer-Verlag, N.Y., 1984. [1] E. Artin, Geometric Algebra, Wiley, NY, 1957 [1] D. W. Ash et al., Normal Bases of Low Complexity, Discrete Applied Math., 25 (1989) pp.191 - 210.

B [1] Baumer, Uniform period, J. Number Theory, 1982 [1] Eva Bayer-Fluckiger, HW Lenstra, Forms In Odd Degree Extensions And Self-Dual Normal Bases, Amer. J. Math. 112 (1990) 359-373. [1] E. R. Berlekamp, Factoring Polynomials over Finite Fields, Bell System Tech. Journal 46 (1967) 1853-1859. [2] ______, Algebraic Coding Theory, Mcgraw Hill, N.Y. 1968. [3] ______, Factoring Polynomials over Large Finite Fields, Math. Computation 24 (1970) 713-735. [4] ______, Bit - serial Reed - Solomon Encoder, IEEE Trans. Inform. Theory Vol. IT - 28, Nov. 1982, pp. 869 - 74.

[1] BC Berndt, RJ Evans, HS Williams, Gauss Sums, Wiley& Sons, NY 1998. [1] KA Bird, TP Vaugham, Counting and constructing orthogonal circulants, J. Combin. Theory Series A, 24 No. 1 (1978) 34-49. [1] T. Beth, W. Geiselmann, Selbstduale Normalbasen uber GF(q), Archiv. Der Math. 55 : 44-48 (1988). [2] ______, D Jungnickel, H Lenz, Design Theory Volume I, Cambridge Press 1999. [1] D. Bini, Victor Y. Pan, Polynomials and Matrices Computations, Volume I: Fundamental Algorithms, Birkhauser, Boston, 1994. [2] ______, et al., Inversion of Circulant Matrices over Zm, to appear in Math. Comp. 2000. [1] P.B. Bhattacharya et al., Basic Abstract Algebra, Cambridge University Press, 1986. [1] ] I.F. Blake, S. Gao, R Lambert, Constructive problem for irreducible polynomials over finite fields, Lecture Notes in Computer Science 793 (1993) pp. 1-23.

[2] I.F. Blake, S. Gao, R.C. Mullin, NORMAL AND SELF - DUAL NORMAL BASES FROM FACTORIZATION OF cxq + 1 + dxq - ax - b, SIAM J. Discrete Math. Vol. 7, No. 3, pp. 449 - 512, August 1994.

165

[3] ______, Specific Irreducible polynomials With Linearly Independent Roots Over Finite Fields, Linear Algebra and Its Applications Vol. 253: 227-249, March (1997). [1] Dieter Blessenohl, Karsten Johnsen, Eine Verscharfung des Satzes von der Normabasis, J. Algebra 103, (1986), 141-159. [1] Borevich and Shafarevich, Number Thoery, Academic Press, NY, 1966. [1] J. Brillhart et al., Factorizations Of bn±1, b=2,3,5,6,7,10,11,12 Up To High Powers, Contemp. Math, Amer. Math Soc., Vol. 22, 1988, Providenc, R.I. Brillhart, Certain Cyclotomic Period Polynomials, Pacific J. Math. Vol. 152, No. 1 91992) pp. 15- 19.] [1] A. Bruen, B. Levinger, A theorem on permutations of a finite field, Can. J. Math. Vol. 25 No. 5, 1973, pp.1060 - 1065. [1] NH Bshouty, Gseroussi, Generalization Of Normal Basis Theorem, SIAM J. Disc. Math. 3, 1990, 330-337.

C ?[1] A Camion, A Deterministic algorithm for factoring polynomials of Fq[x], Ann. Disc. Math. Vol. 17, pp. 149-157, 1983.

* ?[1] H Campbell, I Hughes et al., On The Ring Of Invariants Of F n , Comm. Math. Helvetici 66 2 (1991) 171-180. [1] N.A. Carella, On primitive normal elements of arbitrary traces, Preprint 1997. [1] L. Carlitz, Primitive Roots in a Finite Field, Trans. Amer. Math. Soc. Vol. 73, 1952, p.373-382. [2] ______, Distribution of Primitive Roots in Finite Fields, Quarterly J. Math. 4 (1953) p.?. [3] ______, Kloosterman Sums and Finite Fields Extensions, Acta Arith. 16 (1969) 179-193. [1] R Chapman, Completely normal elements in quadratic iterated extensions of Finite Fields, Finite Fields and theirs Appl. 3 (1997) 1-10.

[1] S. Chowla, On Artin's Conjecture, J. Number Theory, Vol. 16, 1983, pp. 147 - 168.

[1] S. Cohen, Primitive Elements and Polynomials with arbitrary trace, Discrete Math., 83, 1990, pp. 1-7. [2] ______, Some Arithmetical Functions in Finite Fields, Glasgow math. J. 11 (1970), 21-36.

D [1] H. Davenport, Bases of finite Fields, J. London Math. Soc., Vol.43, No. 169, 1968, pp.21-39. [1] Davis, Circulant Matrices, Wiley Publishing Co. [1] H. Dubner, Large Sophie Germain Primes, Math. Comp. Vol. 65, No. 213, 1996, pp.393 - 396. [1] M. Diab, Systolic architecture for multiplication over GF(2n), Procceedings of AAECC-9, Lecture Notes in Computer Science 508 (1991) pp.329-340. [1] L.E. Dickson, Cyclotomic, Higher Congruence, and Waring's Problem, Amer. J. Math. 57 (1935) 391-424.

E [1] T. ElGammal, A subexponetial-time algorithm for computing discrete logarithm over GF(p2), IEEE Trans. Inform. Theory Vol. 31, 1985, pp. 473 -481.

166

[1] R Evans, Reciduacity Of Primes, Rocky Mount. J. Math. Vol. 19 No. 4, 1989, 1069-1081. [2] ______, Period Polynomials For Generalized Cyclotomic Periods, Manuscripta Math. 40 (1982) 217-243. [3] ______, The Octic Period Polynomial, Proc. Amer. Math. Soc. Vol. 87 No. 3, 1983, pp. 389-393.

F [1] M. Feng, A VLSI architecture for fast inversion in GF(2n), IEEE Trans. Computers Vol. 38, No., . 1989, pp.1383-1386.

[1] Sandra Fiesel, [1] R Fricke, Lehrbruch der Algebra, Vol. 3 Branschweig, 1928.

G [1] J Ganz, Factoring Polynomials Using Binary Representations Of Finite Fields, IEEE Trans. On Infor. Theory Vol. 43, No.1, 1997, pp.147-153.

[1] S. Gao and H.W. Lenstra, Optimal normal bases, Designs, Codes Cryptography 2, 315 - 323 (1992). [2] S. Gao, G.L. Mullen, Dickson Polynomials and Irreducible Polynomials over Finite Fields, J. Number Theory 49, 118 - 132 (1994). [3] S. Gao, S.A. Vanstone, On Orders of Optimum Normal Basis Generators, Math. Comp. Vol. 64, No. 211, July 1995, pp. 1227 - 1233. [4] S. Gao, J. von zur Gathen, D. Panario, Gaussian periods and fast exponentiation in finite fields, Proceedings Latin `95: Theorectical Informatics, LNCS 911, pp.311-322, Springer-Verlag 1995. [5] ______, Gaussian periods: Orders and cryptographic applications, Math. Comp. Vol. 67, No. 221, 1998, pp. 343-352. [1] Joaquim von zur Gathen, Mark Giesbrecht, Constructing normal bases in finite fields, J. Symbolic Computation (1990) 10, 547-570. [2] J. von zur Gathen, Igor Shparlinski, Orders of Gaussian Periods in Finite Fields, Algorithms and Computation 95, LNCS 1004, pp.208-215, Springer-Verlag 1995. [1] D. Gillies, Three New Mersenne Primes and Statistical Theory, Math. Comp. Vol. 18, No. 85, January 1964, pp.93 - 95. ?[1] W. Geiselmann, A Note On The Hash Function, LNCS Vol. 1025, Springer-Verlag, N.Y. 1995, pp257-263. [1] W. Geiselmann, D. Gollmann, Symmetry and Duality in Normal Basis Multiplication, LNCS Vol. # 357, Springer - Verlag, N.Y. 1988, p230 - 238. [2] ______, VLSI design for exponentiation in GF(2n), Advances in Cryptology: Procceedings of Auscrypt 90, Lecture Notes in Computer Science 453 (1990) pp.398-405. [3] ______, Duality and Normal Bases Multipliers, Cryptography and Coding III, Institute of Mathematics and its Applications, Conference Series, Claredon Press, Oxford, 1993, pp.187 - 195. * [4] ______, Self Dual Bases in F n , Designs, Codes, Cryptography 3 (19930 − q 333-345. [1] J.A. Gordon, Very simple method to find the minimum polynomial of an arbitrary nonzero element of a finite field, Electronics letters, Vol. 12 (1976) pp.663-664.

167

[1] S. Gurak, Factors of period polynomials for finite fields II, Contemporary Math.Vol. 168, (1994) pp. 127-138. [2] ______, Minimal Polynomials For Gauss Circulants And Cyclic Units, Pac. J. Math. Vol.102, No.3 (1982) pp.347-353. [3] ______, On The Last Factor Of The Period Polynomials For Finite Fields, Acta Arith. 71 (1995) pp. 391-400. S. Gurak, Minimal Polynomials for Circular Numbers, Pac. J. Math. Vol. 112 No. 2, pp. 313-331, 1984. ______, Factors of Period Polynomials for Finite Fields II, Contemporary Math. Vol. 168, AMS, 1994, pp. 127-138. [1] D Goss, Basic Structure Of Function Fields Arithmetic, Modern Math. Series Vol. 35, Springer-Verlag, N.Y. 1996. [1] S. Gupta, D. Zagier, On the coefficients of the minimal polynomials of Gaussian periods, Math. Computations, Vol. 60, No. 201, January 1993, pp.385-398. [1] R. Guy, The Strong Law of Large Numbers, Am. Math. Monthly, Vol. 95, No. 8, Oct 1988.

H [1] K. Ham, G. L. Mullen, Distribution of irreducible polynomials of small degrees over finite fields, Math. Comp. Vol. 67, No. 221, 1998, pp.337-341. [1] W. B. Han, The coefficients of primitive polynomials over finite fields, Math. Comp. Vol. 65, No. 213, 1996, pp. 331-340. [1] Hansen, G. L. Mullen, Primitive polynomials over finite fields, Math. Comp. Vol. 59, No. 211, 1992, pp.639-643. [1] M.A. Hasan et al., Modular construction of low complexity parallel multiplier for a class of finite fields GF(2n), IEEE Trans. Computers Vol. 41, No. 8, Aug. 1992, pp.962-971. ?[2] ______, , IEEE Trans. Computers Vol. , No. , Apr. 1993, pp. [3] ______, Modified massey omura parallel multiplier for a class of finite fields, IEEE Trans. Computers Vol. 42, No. 10, Oct. 1993, pp. 1278-1280. [4] ______, Architecture for a low complexity rate adaptive R-S encoder, IEEE Trans. Computers Vol. 44, No. 7, Jul. 1995, pp.. [1] T. Helleseth, On the Covering Radius of Cyclic Codes and Arithmetic Codes, Disc. Appl. Math. 11 (1985) 157-173. [1] D.R. Heath-Brown, On Artin’s conjecture for primitive roots, Quart. J. Math., 37 (1986), 27-38. [1] Hua Loo Keng, Introduction to Number Theory, Springer-Verlag, N.Y., 1982.

I [1] K. Imamura, On self-complementatry bases of GF(qn) over GF(q), Trans. IECE Japan (Section E), 66 (1983) 717-721. [2] ______, The number of self complementary bases of a finite field of characteristic 2, IEEE International Symp. Inform. Theory, Kobe, 1988. [1] K. Imamura, M. Morii, Two classes of finite fields which have no self-complememtary normal bases, IEEE International Symp. Inform., Theory, Brighton, England, June 1985. [1] T. Itoh, O. Teechi, S. Tsujii, A Fast Algorithm for Copmuting Multiplicative Inverse in GF(2t) Using Normal Bases, J. Soc. for Electronic Communications (Japan) 44 (1986) pp.31-36. [2] Toshiya Itoh, Shigeo Tsujii, Structure of Parallel Multipliers for a Class of Fields GF(2m), Information and Computations 83, 21 - 40 (1989).

168

[3] ______, Effective recursive algorithm for computing multiplicative inverse in GF(2m) using normal bases, Inform. Computing 78 (1988), 171-177. [4]______, An effective algorithm for deciding quadratic residuocity in finite fields GF(qm), Inform. Proc. Letters 30 (1989) 111-114.

J [1] Dieter Jungnickel, Scott A. Vanstone, On Primitive Polynomials over Finite Fields, Journal of Algebra 124, 337-353 (1989). [2] ______, A. Menezes, S. Vanstone, On the Numbers of Self-Dual Bases of GF(qn), Proc. Amer. Math. Soc. 109, 1990, pp.23-29. [3] ______, Finite Fields: Structure and Arithmetics, Bibliograhishes Institut, Mannheim, 1993. [4] Dieter Jungnickel et al, A note on orthogonal circulant matrices over finite fields, Archiv der Mathemathik 62 No. 2 (1994) pp. 126-133. [5] ______, Trace-Orthogonal Normal Bases, Discrete Applied Math. 1995?

L ?[1] J Lacan, E Delpeyroux, A Note on Normal Bases, Proceedings AAECC−11, LNCS 948 (1995) pp. 334-340. [1] S. Lange, Algebra, Addison Wesley Publishing Company, N.Y. 1984.

[1] D.H. Lehmer, Emma Lehmer, Cyclotomy with short periods, Math. Comp. Vol. 41, No. 164, October 1983, pp.743 - 758. [2] ______, The Cyclotomic of Hyper-Kloosterman Sums I, Acta Arith. 12 (1967) 385-407. [3] ______, The Cyclotomic of Hyper-Kloosterman Sums II, Acta Arith. 14 (1968) 89-111. [4] ______, The Cyclotomic resultants, Math. Comp. Vol. 48, No. 177, 1987, pp.211-216. [5] DH Lehmer, An extended theory of Lucas functions, Ann. Math.. Vol. 52 (1930) pp. 293-304. [6] E. Lehmer, On Special Primes, Pac. J. Math. Vol. 118 No. 2, pp. 471-478, 1985. [7] ______, On the number of solutions of uk + D ≡ w2 mod p, Pac. J. Math. Vol. 5, pp.103-118, 1955. [1] A. Lempel, Charaterization and Synthesis of Self-Complementary Normal Bases in Finite Fields, L. Algebra and Its Appl. 98 (1988) 331-346. [2] ______, G. Seroussi, Explicit Formulas for Self-Complementary Normal Bases in Finite Fields, IEEE Trans. Inform. T. Vol. 37, No. 4 (1991) pp. 331-346. [3] ______, M.J. Weinberger, Self-Complementary Normal Bases in Finite Fields, SIAM J. Discrete Math. 1 (1988) 193-198 [1] H.W. Lenstra, R.J. Schoof, Primitive Normal Bases for Finite Fields; Math. of Computation, Vol. 48, Number 193, January 1987, pp. 217-231. [2] H.W. Lenstra, Finding Isomorphisms Between Finite Fields, Math. Comp. Vol. 56, No. 193, January 1991, pp.329 - 347. [1] Rudolf Lidl, Harard Niederreiter, Finite Fields, Encyclopedia of Mathematics and its Applications Vol. 20, 1997, Addison-Wesley Publishing Company. [1] J.H. van Lint, Introduction to Coding Theory; Springer - Verlag, N.Y. 1982. [1] Gunter Loh, Long Chains of Nearly Double Primes, Math. Computations, Vol. 53, No. 188, October 1989, pp.751-759.

169

M [1] S. Maclane, G. Birkhoff, Algebra, 2nd Ed., MacMillan Publishing Company, N.Y. 1979.

[1] F.J. MacWilliams, Orthogonal matrices over finite fields, Amer. Math. Monthly, 76, 1969, pp.152-164. [2] ______, Orthogonal circulant matrices over finite fields and how to find them, J. Combin. Theory, 10 (1971) 1-17. [1] E.D. Mastrovito, VLSI Design for Multiplication over the Finite Fields GF(2n), LNCS Vol. 357, Springer-Verlag, New York, 1988, .pp.297 - 309. [1] Masakato Morii et al., Efficient bit - serial multipliers and the discrete Wiener - Hopf equation over finite fields, IEEE Trans. Inform. Theory Vol. No. 35, Sept. 1989, pp.1177 - 1183. [1] R. McConnel, Pseudo - ordered polynomials over a finite field, Acta Arithmetica, Vol. 8, 1963, pp.127 - 151. [1] R. J. McEliece, Finite Fields for Computer Scientists and Engineers, Kluwer, Boston, 1987. [2] ______, J. Rumsey, Euler Products, Cyclotomic, and Coding, Journal Number Theory 4 (1972), pp. 302-311. [1] A.J. Menezes, I.F. Blake, X Gao, R.S. Mullin, S.A. Vanstone, and T. Yaghoo, Applications of Finite Fields, Kluer, Boston-Dordrecht-Lancaster, 1993. [2] ______, P.C. van Oorschot, S.A. Vanstone et al., Handbook of Cryptography, CRC Press, Boca Raton,1997.

[1] H Meyn, Construction of Irreducible Self-Reciprocal Polynomials, App. Alg. Eng. and Computation Vol. 1 (1990) 119-124. [2] ______, Explicit N-polynomial of 2-Power Degree over Finite Fields I, Designs Codes, Cryptography 6 (1995) 107-116. [1] Carlos J. Moreno, Algebraic Curves over Finite Fields, Cambridge Tracts in Math., Vol. 97, Cambridge, 1991. [1] Oscar Moreno, On Primitive Elements Of Trace Equal To 1 In GF(2m), Discrete Math. 41 (1982) pp.53-56. [2] ______, On the Existence of a Primitive Quadratic of Trace 1 over GF(pm), J. Combinatorial Theory Series A 51, 104-110 (1989) [3] ______, C. Moreno, Exponential Sums I and Goppa Codes, Proc. Amer. Math. Soc. Vol. 11 No. 2, Feb. 1991, pp. 523-531. [1] Ilene Morgan, Gary Mullen, Primitive Normal Polynomials Over Finite Fields, Math. Comp. Vol. 63, No. 208, October 1994, pp.759-765. [2] ______, Completely Normal Primitive basis generators of Finite Fields, Utilitas Mathematica 49 (1996) pp.21-43. [3] ______, M Ziviovic, Almost weakly self-dual bases for Finite Fields, Appl. Alg. In ECC 8 (1997) pp.25-31. [1] R.C. Mullin, I.M. Onyszchuk, S.A. Vanstone, and R.M. Wilson, Optimal normal bases in GF(pn), Discrete Appl. Math. 22 (1988/1989), 149-161. [2] R.C. Mullin, A characterization of the extremal distribution of optimal normal bases, in Designs, Codes, Groups, M. Hall Proceeding, Vermont, 1990. [1] Leo Murata, On the Magnitude of the Least Prime Primitive Root, Journal Number Theory 37 (1991), pp. 47-66. [1] G. Myerson, Period Polynomials and Gaussian Sums for Finite Fields, Acta Arith. 39 (1981)

170

251-264.

N [1] K Nemoga, S Schwarz, An explicit description of the set of all normal bases generators of a finite field, Czech. Math. J. 49 (124), 1999, No. 1, 81-96. [1] H. Niederreiter, An enumeration formula for certain irreducible polynomials with application to the construction of irreducible polynomials over the binary field, Applicable Algebra 1 (1990), pp.119-124. [2] ______, Factoring polynomials over Finite Fields using differential equations and normal bases, Math. Comp. Vol. 62, No. 206, 1994, pp. 819-830. [1] Ivan Niven et al., An Introduction to the Theory of Numbers, John Wiley and Sons, N.Y., 1991.

P [1] V. Y. Pan, D Bini, Polynomials and Matrix Computations Volumes 1 Fundamental Algorithms, Birkhauser, Boston, 1994. [1] V. Y. Pan, Computation With Dense Structured Matrices, Math. Comp. Vol. 55, No. 191, (1990), pp.179-190. [1] F. Pappalardi, Igor E. Shparlinski, Artin’s Conjecture in Functions fields, Finite Fields And Theirs Applications, 1, 399-404 1995. P [1] D. Y. Pei, et al., Normal bases of finite fields GF(2m), IEEE Trans. on Inform. Theory Vol. IT32, 1986, pp. 285 - 287. [1] A. Pencin, Bases for finite fields and a canonical decomposition for a normal basis generator, Commun. Alg. Vol.17, No. 6 (1989), 1337-1352. [2] ______, A new algorithm for multiplication in finite fields, IEEE Trans. on Computers Vol. 38, No. 7, 1989, pp.1045 - 1049. [1] S. Perlis, Normal bases of cyclic fields of prime power degree, Duke Math. J. Vol. 9, No. 2, (1942), 507-517. [1] A Poli, Llorenc Huguet, Error Correcting Codes, Theory and Applications, Printice Hall 1992. [2] A Poli, Deterministic constrution of normal bases with complexity O(n3+nlognloglognlogq), J. Symbolic Computation 19 (1995) 305-319. [3] _____, Constructing self complementary bases in charateristic 2, IEEE Trans. on Inform. Theory Vol. IT41, No. 3, 1995, pp. 790-794.

R [1] P. Ribenboim, The Book of Prime Number Records, Springer - Verlag, N.Y., 1988. [1] Hans Riesel, Prime Numbers and Computer Methods for Factorizations, Progress in Mathematics, Vol. 57, Birkhauser, Boston, 1985. [1] M. Rybowicz, Search for primitive polynomials over finite fields, J. of Pure and Applied Algebra, 65 (1990) 139 - 151.

S [1] W.M. Schmith, Equations Over Finite Fields, LNM Vol. 536, Springer-Verlag, Berlin, 1976. [1] R. Schroeppel, H. Orman, S. O’Malley, O. Spatschek, Fast Key Exchange with Elliptic Curve Systems, Advances in Cryptology, CRYPTO95, LNCS 963, Springer - Verlag, 1995, pp.43 - 56.

171

[1] P. Scott, S. Tavares, L. Peppard, A fast VLSI multiplier for GF(2n), IEEE J. on Selected Area in Communications, 4 (1986) pp.62-66. [1] I.A. Semaev, Construction of Polynomials Irreducible over Finite Field with Linearly Independent Roots, Math. USSR Sbornik 63, 1989, 507 - 519. [1] GE Seguin, Low complexity normal bases for GF(2nm), Discrete Applied Math., 28 (1990) 309 - 312. [1] G. Seroussi, A. Lempel, Factorization of Symmetric Matrices and Trace-Orthogonal Normal Bases in Finite Fields, SIAM J. Comp. 9 (1980), 758-767. [1] Stefan Schwarz, IRREDUCIBLE POLYNOMIALS OVER FINITE FIELDS WITH LINEARLY INDEPENDENT ROOTS, Math. Slovaka, 38, No. 2, 1988, 147 - 158. ?[2] ______, Quart. J. Math. Vol. 2 (7), 1956, pp.110- 124. [1] A Scheerhorn, Trace And Norm Compatible Extensions Of Finite Fields, AAECC 3 (1992) 199- 209. [2] ______, Dickson Polynomials, Comlpetely Normal Polynomials and Cyclic Module Structure of Specific Extensions of Finite Fields, Designs, Codes and Cryptography 19, 193-202 (1996). [3] ______, Iterated constructions of Normal bases, Contemp. Math. Vol. 168, AMS, 1994, 309-325. [1] Igor E. Shparlinski, Computations and Algorithmic Problems in Finite Fields, Kluwer Academic Press, 1992, 1999. [2] ______, Artin’s Conjecture in Functions fields, Finite Fields And Theirs Applications, 1995?. [1] V.M. Sidel'nikov, On the Normal Bases in Finite Fields, Math. Sbornik Vol. 61, No. 2 (1988) 485-494. [1]Gabriela Steidl, On normal bases for finite commutative rings, Math. Nachr 145 (1990), 151-168. [1] Stepanov S.A., I.E. Shparlinski, On the structure complexity of a normal bases of a finite field, LNCS 278 (1978), 414-416. [2]______, On the construction of a primitive normal bases of a finite field, Math. Sbornik 180 No. 8 (1989), 1067-1072. [3] ______, Acta Arith. 49 (1987) 189-192. S.A. Stepanov, Arithmetic of Algebraic Curves, p. 34, 1994.

[1] D.R. Stinson, On the Bit-serial Multiplication and dual bases in GF(2m), IEEE Trans. Inform. Theory Vol. No. 37, Nov. 1991, pp.1733-1737.

[1] T. Storer, Cyclotomy and Difference Sets, Lectures in Advanced Math., Markham, Chicago 1967.

T [1] F Thaine, Properties That Characterize Gaussian Periods And Cyclotomic Numbers, Proc. Amer. Math. Soc. Vol. 124, No. 1, 1996, pp. 35-45. [2] ______, Families of irreducible polynomials of Gaussian Periods And matrices of Cyclotomic Numbers, Math. Comp. Vol. 69, No. 232, 1999, pp.1653-1666.

172

W [1] S. Wagstaff, Divisors of Mersenne Numbers, Math. Comp. Vol. 40, No. 161, 1983, pp.385 - 397. [2] ______, Aurifeuillian Factorizations and the Period of Bell Numbers, Math. Comp. Vol. 65, No. 213, 1996, pp.383 - 391. [1] Daquing Wan, Generators and irreducible polynomials over finite fields, Math. Comp. Vol. 66, No. 219, 1997, pp.1195 - 1212. [1] J. Wang, et al., VLSI Architecture For Computing Multiplications And Inverses In GF(2n), IEEE Trans, on Computers, Vol. C - 34, No. 8, August 1985, pp.709 - 717. [1] C.C. Wang, D. Pei, A VLSI design for computing exponentiation in GF(2n) and its applicattion to generator of pseudorandom numbers sequences, IEEE Trans. Computers Vol. 39, No. 2, Feb. 1990, pp.258-262. [2] ______, An algorithm to design finite field multipliers using self dual normal bases, IEEE Trans, on Computers, Vol. 38, No. 10, 1989, pp.1457-1460. [1] M. Wang, I.F. Blake, Normal bases of finite fields GF(2m) over GF2), IEEE Trans. on Inform. Theory Vol. 43, No. 2, march 1997, pp. 737 -739. [1] B.L. van der Waerden, Algebra Volume I, Springer-Verlag, N.Y., 1991. [1] KS Williams, Euler Criterion for Cubic Nonresidue, Proc. Amer. Math. Soc. Vol. 49 No. 2 (1975 277-283.] [1] Wassermann, Konstruktion von Normalbasen, Bayreuther Mathematische Schriften 31 (1990) 155-164. [2] ______, Zur Arithmetik In Enlichen Korpen, Bayreuther Mathematische Schriften 44 (1993) 147-151. [1] Wen-C Winnie Li, Characters Sums and Abelian Rammanujan Graphs, J. Number Theory, 41, (1992), pp.199-217. [1] Huang Wu, M.A. Hasan, Efficient exponentiation of a primitive root in GF(2n), IEEE Trans. Computers Vol. 46, No. 2, Feb. 1997, pp. 162-171.

Z [1] Neal Zierler, J Brillhart, On primitive trinomials (mod 2), Inform. and Control 13, (1968) 541 – 554. [2] ______, On primitive trinomials (mod 2) II, Inform. and Control 14, (1969) 566 – 569. [3] Neal Zierler, On xn + x + 1 over GF(2), Inform. and Control 16, 502 - 505 (1970) [1] M Zivkovic, A table of primitive binary polynomials, Math. Comp. Vol. 62, 1994, pp. 385-386. [2] M Zivkovic, A table of primitive binary polynomials II, Math. Comp. Vol. 63, 1994, pp. 301- 306. [1] WC Waterhouse, The Normal Basis Theorem, Amer. Math. Monthly 86 No.3 (1979) p.212. [2] ______, A Unified Version Of The Primitive And Normal Basis Theorem, Comm. Alg. 22 (1994) 2305-2308.

173